In just released 2.2.0-GA version of cas-client-autoconfig-support library, there is a new configuration option to turn off ticket validation interaction by the Java CAS client (useful for this exact use case of JWTs as tickets). It looks like this: cas.skipTicketValidation=true
Once that's set, after authentication transaction, client apps will receive JWTs in the 'ticket' request parameter(if CAS server is set up to do that, of course) and CAS client will not attempt to validate it. Then you could do whatever you please with it. Best, D. On Wednesday, 6 February 2019 10:38:18 UTC-5, srmudigan wrote: > > Hi Michele, > > Yes you are right, cas is not internally validating the JWT. The cas > client which in my case is spring boot based web app which is > using cas-client-autoconfig-support and with @EnableCasClient annotation. I > am using the validation-type: CAS3 in the client. And when I authenticate > against cas server, the cas is generating the JWT but the client is trying > to validate the JWT like ST by sending it back to cas. Looks like the > client is using Cas20ServiceTicketValidator to validate the JWT ticket > which I think it should not. What changes did you do in client to not send > it back to cas for validating ? > > Thanks, > srmudiganti > > On Wednesday, February 6, 2019 at 3:50:04 AM UTC-5, Michele Melluso wrote: >> >> Hi, >> >> cas is not supposed at all to internally validate the JWT, since it >> should be generated by cas only after the ST is internally validated, (as >> its shown on the documentation flow diagram). >> >> When it happened to me, it was because i was using a cas client which was >> applying the cas protocol providing back the ticket argument to the >> validation endpoint of cas. >> Could you check that you are not using any cas client and provide your >> app code that you are using to validate the jwt? >> >> regards >> Michele >> >> On Monday, February 4, 2019 at 7:24:23 PM UTC+1, srmudigan wrote: >>> >>> Hi Michele, >>> >>> I have gone through the link. But before I implement reading the token >>> on client side, i need to disable the validation happening on cas side. >>> Could you help me how to disable the validation that's happening on cas as >>> it's doing JWTvalidation like ST ticket ? It looks like after JWT is >>> generated, it's getting validated on cas. The generated URL has >>> redirected=true&ticket=JWT-ticket. May be that's causing the automatic >>> validation ? It looks like the jwt ticket is not even reaching client. So >>> can you please suggest how to stop the validation ? >>> >>> Thank you for your help. >>> >>> Regards, >>> srmudiganti >>> >>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d751869-1156-4321-be26-27054d2d4b35%40apereo.org.
