Sure. The non-browser client is adopting the role of browser in the CAS protocol. It touches the TGT.
Still, by using the TGT to obtain an ST, your "<my-service>" doesn't get to see the TGT, only a short-lived one-time-use ST. This is better than the service itself touching the TGT, which it could then use as an illicit proxy. All that said, I'd readily agree that CAS has less to offer non-browser clients and that you might well consider other options. The non-browser client is presumably a custom application that can do smarter, more sophisticated things than can a web browser. As in, participate in OAuth, or validate credentials to pull down a certificate and use TLS to authenticate to the services it accesses on the user's behalf, or... Andrew On Thu, Mar 7, 2013 at 10:28 AM, Modi Tamam <[email protected]> wrote: > Understood. > I'll describe my use cases. > Some of my clients use browsers and some are not.means that the non- > browser clients workflow will be as follow: > > 1. Obtain a TGT > 2. Obtain a ST > 3. Validate the ST (https:<my-service>?ticket=<my ticket>) > 4. Interact with <my-service> > > My question is, what is the added value (from a security point of view) of > the ST? (I mean, the client is allready aware to the TGT) > > > On Thu, Mar 7, 2013 at 5:01 PM, Andrew Petro <[email protected]> wrote: > >> If you presented the TGT to any entity other than the CAS server, that >> entity could then use that TGT to access the CAS server in the name of the >> user, obtaining STs as the user. Thus any entity presented with the TGT >> becomes a potential illicit proxy. >> >> STs are very-short-lived application-specific one-time-use password >> replacements. Appropriately vending and redeeming them is post of the >> point of a CAS server. :) >> >> >> On Thu, Mar 7, 2013 at 9:42 AM, Modi Tamam <[email protected]> wrote: >> >>> Hi, >>> I'm trying to figure out the purpose of the service ticket. >>> I mean, why wouldn't I validate the TGT against each service >>> that I want to intercat with, what is the added value of the ST? >>> >>> -- >>> Best Regards >>> Mordechai Tamam >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > Best Regards > Mordechai Tamam > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
