Hi Jitendral, Thank you for your very detailled answer.
I will try to rephrase to make sure I understood well. 1. Open https://ui-domain.com/ 2. Click on <Sign In> -> Redirect from https://ui-domain.com/ to https://cas-domain.com (credential input form) 3. On https://cas-domain.com type user credentials : Redirection from https://cas-domain.com to https://ui-domain.com (with Service Ticket) 4. Call from https://ui-domain.com/ to https://cas-domain.com to validate *ST* and provide callback for https://ui-domain.com/ and PGT URI for https://services.com <https://services.com/validate-pgt?pgtIou=PGT-32-RlLIQhAkXISAqouOO2qyoTCYkYkTQSmJQueUoZdjHiCVJLuF8Nvx6Yf6pDka-iFO5Fo-49f49b7e1211>. Get back a response with *PGTIOU* 5. Call from https://ui-domain.com/ to https://services.com <https://services.com/validate-pgt?pgtIou=PGT-32-RlLIQhAkXISAqouOO2qyoTCYkYkTQSmJQueUoZdjHiCVJLuF8Nvx6Yf6pDka-iFO5Fo-49f49b7e1211> with *PGTIOU* to get a *PGTID* (or redirect to https://cas-domain.com if not found) - Here, I am a bit confused, are the PGT values in your example the same or different values? - (4.) [...] <cas:proxyGrantingTicket> PGTIOU-3-64o7WGazmX-9r2lC2LTCo7mlNGh5xu07mBevm93vei-jhJWo8lsviL-aHRNcI-MHK04-49f49b7e1211 [...] - (5.) [...] get the pgtId using "<cas:proxyGrantingTicket>PGTIOU-84678-8a9d... [...] - (5.) [...] "pgtId": "PGT-32-RlLIQhAkXISAqouOO2qyoTCYkYkTQSmJQueUoZdjHiCVJLuF8Nvx6Yf6pDka-iFO5Fo-49f49b7e1211" [...] 6. Call from https://ui-domain.com/ to https://cas-domain.com with *PGTID* from (5.). Get back a *PT *on success or an error if invalid ticket. 7. Call from https://ui-domain.com/ to https://services.com <https://services.com/validate-pgt?pgtIou=PGT-32-RlLIQhAkXISAqouOO2qyoTCYkYkTQSmJQueUoZdjHiCVJLuF8Nvx6Yf6pDka-iFO5Fo-49f49b7e1211> with *PT* from (6.) - Call from https://services.com <https://services.com/validate-pgt?pgtIou=PGT-32-RlLIQhAkXISAqouOO2qyoTCYkYkTQSmJQueUoZdjHiCVJLuF8Nvx6Yf6pDka-iFO5Fo-49f49b7e1211> to https://cas-domain.com with *PT* to check *PT* validity and get username + *PGT* (will it be used?) - From here I can get additional informations about the user by querying the CAS annuary. 8. Create a session or use JWT to allow API to know who is connected when the API is called by the UI. Le mardi 5 mai 2020 18:23:40 UTC+2, Jitendra Patil a écrit : > > Hi Marc, > > <SERVICE-URL> is Spring API url. Please find below steps which can be > followed to secure APIs and make entire flow work. > > 1. Open/Load frontend Application > https://ui-domain.com/ > Login: username / password > > 2. Click on a Sign-in and control will get redirected to CAS for > Authentication > https://cas.domain.com/cas/login?service=https://ui-domain.com/verify > > 3. Enter Credentials and on a success the control will be redirected to > Front-end Application with a Service Ticket > > https://ui-domain.com/verify?ticket=ST-54-yYDr67UYlA5FX1yatA1-8fR-0pI-49f49b7e1211 > > 4. Call CAS API to check the Service Ticket status with proxy callback Url > > https://cas.domain.com/cas/p3/serviceValidate?service=https://ui-domain.com/verify&ticket=ST-56-EenPWIje1NG-GcI3TjAxoDOpKlQ-49f49b7e1211&pgtUrl=https://services.com/proxy-callback > > - On Success, Cas returns pgtIou an xml format > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationSuccess> > <cas:user>username</cas:user> > > <cas:proxyGrantingTicket>PGTIOU-3-64o7WGazmX-9r2lC2LTCo7mlNGh5xu07mBevm93vei-jhJWo8lsviL-aHRNcI-MHK04-49f49b7e1211</cas:proxyGrantingTicket> > <cas:attributes> // as of now we are not using below parameters so > we can ignore them > > <cas:credentialType>UsernamePasswordCredential</cas:credentialType> > <cas:isFromNewLogin>true</cas:isFromNewLogin> > > <cas:authenticationDate>2020-01-30T13:12:06.215Z[Etc/UTC]</cas:authenticationDate> > > <cas:authenticationMethod>LdapAuthenticationHandler</cas:authenticationMethod> > > <cas:successfulAuthenticationHandlers>LdapAuthenticationHandler</cas:successfulAuthenticationHandlers> > > <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed> > </cas:attributes> > </cas:authenticationSuccess> > </cas:serviceResponse> > > - On Failure > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationFailure code="INVALID_TICKET">Ticket > 'ST-56-EenPWIje1NG-GcI3TjAxoDOpKlQ-49f49b7e1211' not > recognized</cas:authenticationFailure> > </cas:serviceResponse> > > - here API server receives a PgtIn & PgtOut ids in call-back api and in > next step UI should make a call to return PgtId with the help of > proxyGrantingTicket > > 5. Call Services API to get the pgtId using > "<cas:proxyGrantingTicket>PGTIOU-84678-8a9d...</cas:proxyGrantingTicket>" > > https://services.com/validate-pgt?pgtIou=PGT-32-RlLIQhAkXISAqouOO2qyoTCYkYkTQSmJQueUoZdjHiCVJLuF8Nvx6Yf6pDka-iFO5Fo-49f49b7e1211 > - On Success > { > "pgtId": > "PGT-32-RlLIQhAkXISAqouOO2qyoTCYkYkTQSmJQueUoZdjHiCVJLuF8Nvx6Yf6pDka-iFO5Fo-49f49b7e1211" > } > > - On Failure, redirect a user to CAS login page > { > "timestamp": "2020-01-30T13:15:44.702+0000", > "status": 404, > "error": "Not Found", > "message": "pgtIou not found", > "path": "/validate-pgt" > } > > > 6. Call CAS API using pgtId to generate a Proxy Ticket > > https://cas.domain.com/cas/proxy?targetService=https://services.com/validate-proxy-ticket&pgt=PGT-32-RlLIQhAkXISAqouOO2qyoTCYkYkTQSmJQueUoZdjHiCVJLuF8Nvx6Yf6pDka-iFO5Fo-49f49b7e1211 > - On Success > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:proxySuccess> > > <cas:proxyTicket>PT-57-XDtbTbI9GH3pVZr3qltelIE3kPk-49f49b7e1211</cas:proxyTicket> > </cas:proxySuccess> > </cas:serviceResponse> > > - On Failure > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:proxyFailure code="INVALID_TICKET">Ticket > 'PGT-2-RlLIQhAkXISAqouOO2qyoTCYkYkTQSmJQueUoZdjHiCVJLuF8Nvx6Yf6pDka-iFO5Fo-49f49b7e1211' > > not recognized</cas:proxyFailure> > </cas:serviceResponse> > > > 7. Call Services API with proxy ticket > > https://services.com/validate-proxy-ticket?ticket=PT-61-FJ59Dk-18aFyBc3BJw4Yp2Q5l70-49f49b7e1211 > - here you have to call a cas server to check the validity of a > proxy-ticket > > https://cas.domain.com/cas/proxyValidate?service=https://ui-domain.com/verify&ticket=PT-61-FJ59Dk-18aFyBc3BJw4Yp2Q5l70-49f49b7e1211 > Response from CAS > <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas"> > <cas:authenticationSuccess> > <cas:user>username</cas:user> > > <cas:proxyGrantingTicket>PGTIOU-84678-8a9d...</cas:proxyGrantingTicket> > <cas:proxies> > <cas:proxy>https://proxy2/pgtUrl</cas:proxy> > <cas:proxy>https://proxy1/pgtUrl</cas:proxy> > </cas:proxies> > </cas:authenticationSuccess> > </cas:serviceResponse> > > 8. Once 7th steps gets verified then you can go with cookies or JWT > mechanism OR follow the 6 & 7th steps to secure each and every api. choice > is yours. > > Thank you. >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/92c98a04-9ac0-4c92-b466-6438757cecd6%40apereo.org.