*Question (up front for those skimming the list):* Should my CAS server be returning proxy tickets that begin with "PT"? Is this a configuration option? Is this something that was added after CAS-3.3.3?
*Background:* I have been recently testing the latest phpCAS version (1.1.0RC6 / https://www.ja-sig.org/svn/cas-clients/phpcas/tr...@48086) which now has a switch that now runs service tickets through a different path than proxy tickets. Their relevant change is: break; case CAS_VERSION_2_0: // check for a Service or Proxy Ticket - if( preg_match('/^[SP]T-/',$ticket) ) { - phpCAS::trace('ST or PT \''.$ticket.'\' found'); + if (preg_match('/^ST-/', $ticket)) { + phpCAS::trace('ST \'' . $ticket . '\' found'); + $this->setST($ticket); + unset ($_GET['ticket']); + } else if (preg_match('/^PT-/', $ticket)) { + phpCAS::trace('PT \'' . $ticket . '\' found'); $this->setPT($ticket); unset($_GET['ticket']); } else if ( !empty($ticket) ) { //ill-formed ticket, halt phpCAS::error('ill-formed ticket found in the URL (ticket=`'.htmlentities($ticket).'\')'); What I noticed in testing is that with this client is that my CAS server (3.3.3 with a custom overlay) returns proxy tickets that begin with "ST-" rather than "PT-": https://login.middlebury.edu/cas/proxy?targetService=http%3A%2F%2Fchisel.middlebury.edu%2F~afranco%2Fphpcas_cookiestorage%2Fservice%2F%3Fparam%3D1397087449&pgt=TGT-2447-zAWGcUHZvTgFNaTwjWG1nSU0gxiOoCIbbflTgeunLwaMU2nJoq-harpie <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxySuccess> <cas:proxyTicket>ST-3103-cn5FJWG4Cvv4OdfGNAqZ-griffon</cas:proxyTicket> </cas:proxySuccess> </cas:serviceResponse> Because phpCAS now switches based on the first part of the ticket string, proxy tickets get sent to the serviceValidate URL rather than the proxyValidate URL and fail validation. At the end of the day, it may be that this phpCAS change is invalid due to the CAS Protocol<http://www.jasig.org/cas/protocol>section 3.3.1 allowing proxy tickets to begin with "ST-": Proxy tickets SHOULD begin with the characters, "PT-". Proxy tickets MUST > begin with either the characters, "ST-" or "PT-". > *My questions for this list: * Should my CAS server be returning proxy tickets that begin with "PT"? Is this a configuration option? Is this something that was added after CAS-3.3.3? Once I know if my CAS server is messed up or is operating as expected, I'll follow up with the phpCAS team to notify them if their client change don't fit the protocol correctly. Thanks for your help, Adam P.S. I have have attached my logs for the sequence for the client app, the service app, and the pgt storage script for reference in case they are helpful. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
cookiestorage_client.log
Description: Binary data
cookiestorage_service.log
Description: Binary data
cookiestorage_storePGT.log
Description: Binary data
