Hi srmudiganti, try to see if this helps:
https://groups.google.com/a/apereo.org/d/msg/cas-user/2kby6bDGnoQ/J-AmktLCFgAJ regards Michele On Thursday, January 31, 2019 at 4:28:25 PM UTC+1, srmudigan wrote: > > Hi Michele, > > Thanks for your reply.I tried to authenticate CAS without client app and I > see it generated the jwt. I used the URL > https://localhost:8443/cas/login?service=https://www.example.org to > authenticate against cas. It generated the JWT ticket in the URL: > https://www.example.org/?ticket=eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cHM6XC9cL3d3dy5leGFtcGxlLm9yZyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMVQxMDoyMToyOS4wMjktMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5NzY4ODksImlhdCI6MTU0ODk0ODA4OSwianRpIjoiU1QtMS10VnNmZ0FPcjRIQkFNT3lTb0RlNThhV1pTR2ctTllDLTdMLTU1Nzg4MDAzIn0%3D.34JcJbiCipnTWNdKufWFeF1VwY77eYAPyqDh06MmqkQiOXYkzY9Iauo9BAy-aa2clwZLZYeSI2fMZgDjjm-_wA > > How do I turn off client app ? As I understand from your reply that > "validate the jwt as it was ST", it seems like it's happening same for me. > Can you please let me know how did you solved the issue ? When we use jwt, > whats the correct the way to use jwt ? I am using the service name in > service registry for which the jwt is getting generated, then jwt is > getting passed to the application URL in service registry with > redirect=true and ticket=generate-jwt but again it's getting validated > against cas and it's throwing service ticket does not exist. So my question > is where should we validate JWT ? on CAS server or client ? but it seems > the validation is automatically happening on cas server. Once jwt is > generated, why keep on getting ticket does not exist. > > Thanks in advance. > > Regards, > srmudiganti > > On Thursday, January 31, 2019 at 2:59:28 AM UTC-5, Michele Melluso wrote: >> >> Hi, >> >> that happened to me while i was attempting by mistake to validate the Jwt >> as if it was a ST. >> Actually Jwt is not intended to be validated against CAS, because its >> authenticity is granted by its signature ( >> https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html >> ). >> >> Could you try to authenticate over cas with your client app turned off >> and see if the Jwt is returned? >> >> cheers >> Michele >> >> >> On Wednesday, January 30, 2019 at 8:50:11 PM UTC+1, srmudigan wrote: >>> >>> Hi, >>> >>> I am using CAS overlay 5.2.x and I am trying to use JWT token for single >>> sign on. I configured the cas.properties with signing key and encryption >>> key. Also add the service json with keys. I see that JWT is getting >>> generated but seems like the validation is failing. I am new to the CAS, so >>> can any body please let me know how do we validate the JWT on CAS server. I >>> see the following audit trail: >>> >>> WHO: audit:unknown >>> WHAT: [event=success,timestamp=Wed Jan 30 13:25:36 EST >>> 2019,source=RankedAuthenticationProviderWebflowEventResolver] >>> ACTION: AUTHENTICATION_EVENT_TRIGGERED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:25:36 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: Supplied credentials: [testuser] >>> ACTION: AUTHENTICATION_SUCCESS >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:03 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: >>> TGT-1-*********************************************************o9ZO9-5-lg-hostname >>> ACTION: TICKET_GRANTING_TICKET_DESTROYED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:04 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: >>> TGT-1-*********************************************************9AvnnUJ-eU-hostname >>> ACTION: TICKET_GRANTING_TICKET_CREATED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:04 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname for >>> http://localhost:8080/appname >>> ACTION: SERVICE_TICKET_CREATED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:04 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname >>> ACTION: SERVICE_TICKET_VALIDATED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:05 EST 2019 >>> CLIENT IP ADDRESS: 127.0.0.1 >>> SERVER IP ADDRESS: 127.0.0.1 >>> >>> Then I see this failed message (service ticket doesn't exist): >>> >>> 2019-01-30 13:27:05,396 DEBUG >>> [org.apereo.cas.AbstractCentralAuthenticationService] - <Attempting to >>> decode service ticket >>> [eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g] >>> >>> to verify authenticity> >>> 2019-01-30 13:27:05,396 WARN >>> [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket >>> [eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g] >>> >>> does not exist.> >>> >>> WHO: audit:unknown >>> WHAT: >>> eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g >>> ACTION: SERVICE_TICKET_VALIDATE_FAILED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:05 EST 2019 >>> CLIENT IP ADDRESS: 127.0.0.1 >>> SERVER IP ADDRESS: 127.0.0.1 >>> >>> I felt like CAS server is trying validate the generated JWT but it's not >>> able find it. >>> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8c28ce3d-1dd6-4c78-8c42-edab154d1672%40apereo.org.
