[cas-user] Re: CAS JWT Service ticket validation getting failed
Thanks you. I will try with the new version. Regards, srmudigan On Wednesday, February 13, 2019 at 3:03:35 PM UTC-5, dkopy...@unicon.net wrote: > > In just released 2.2.0-GA version of cas-client-autoconfig-support > library, there is a new configuration option to turn off ticket validation > interaction by the Java CAS client (useful for this exact use case of JWTs > as tickets). It looks like this: cas.skipTicketValidation=true > > Once that's set, after authentication transaction, client apps will > receive JWTs in the 'ticket' request parameter(if CAS server is set up to > do that, of course) and CAS client will not attempt to validate it. Then > you could do whatever you please with it. > > Best, > D. > > On Wednesday, 6 February 2019 10:38:18 UTC-5, srmudigan wrote: >> >> Hi Michele, >> >> Yes you are right, cas is not internally validating the JWT. The cas >> client which in my case is spring boot based web app which is >> using cas-client-autoconfig-support and with @EnableCasClient annotation. I >> am using the validation-type: CAS3 in the client. And when I authenticate >> against cas server, the cas is generating the JWT but the client is trying >> to validate the JWT like ST by sending it back to cas. Looks like the >> client is using Cas20ServiceTicketValidator to validate the JWT ticket >> which I think it should not. What changes did you do in client to not send >> it back to cas for validating ? >> >> Thanks, >> srmudiganti >> >> On Wednesday, February 6, 2019 at 3:50:04 AM UTC-5, Michele Melluso wrote: >>> >>> Hi, >>> >>> cas is not supposed at all to internally validate the JWT, since it >>> should be generated by cas only after the ST is internally validated, (as >>> its shown on the documentation flow diagram). >>> >>> When it happened to me, it was because i was using a cas client which >>> was applying the cas protocol providing back the ticket argument to the >>> validation endpoint of cas. >>> Could you check that you are not using any cas client and provide your >>> app code that you are using to validate the jwt? >>> >>> regards >>> Michele >>> >>> On Monday, February 4, 2019 at 7:24:23 PM UTC+1, srmudigan wrote: Hi Michele, I have gone through the link. But before I implement reading the token on client side, i need to disable the validation happening on cas side. Could you help me how to disable the validation that's happening on cas as it's doing JWTvalidation like ST ticket ? It looks like after JWT is generated, it's getting validated on cas. The generated URL has redirected=true=JWT-ticket. May be that's causing the automatic validation ? It looks like the jwt ticket is not even reaching client. So can you please suggest how to stop the validation ? Thank you for your help. Regards, srmudiganti -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f36032a8-6994-44c5-bc5e-c80483596e1b%40apereo.org.
[cas-user] Re: CAS JWT Service ticket validation getting failed
In just released 2.2.0-GA version of cas-client-autoconfig-support library, there is a new configuration option to turn off ticket validation interaction by the Java CAS client (useful for this exact use case of JWTs as tickets). It looks like this: cas.skipTicketValidation=true Once that's set, after authentication transaction, client apps will receive JWTs in the 'ticket' request parameter(if CAS server is set up to do that, of course) and CAS client will not attempt to validate it. Then you could do whatever you please with it. Best, D. On Wednesday, 6 February 2019 10:38:18 UTC-5, srmudigan wrote: > > Hi Michele, > > Yes you are right, cas is not internally validating the JWT. The cas > client which in my case is spring boot based web app which is > using cas-client-autoconfig-support and with @EnableCasClient annotation. I > am using the validation-type: CAS3 in the client. And when I authenticate > against cas server, the cas is generating the JWT but the client is trying > to validate the JWT like ST by sending it back to cas. Looks like the > client is using Cas20ServiceTicketValidator to validate the JWT ticket > which I think it should not. What changes did you do in client to not send > it back to cas for validating ? > > Thanks, > srmudiganti > > On Wednesday, February 6, 2019 at 3:50:04 AM UTC-5, Michele Melluso wrote: >> >> Hi, >> >> cas is not supposed at all to internally validate the JWT, since it >> should be generated by cas only after the ST is internally validated, (as >> its shown on the documentation flow diagram). >> >> When it happened to me, it was because i was using a cas client which was >> applying the cas protocol providing back the ticket argument to the >> validation endpoint of cas. >> Could you check that you are not using any cas client and provide your >> app code that you are using to validate the jwt? >> >> regards >> Michele >> >> On Monday, February 4, 2019 at 7:24:23 PM UTC+1, srmudigan wrote: >>> >>> Hi Michele, >>> >>> I have gone through the link. But before I implement reading the token >>> on client side, i need to disable the validation happening on cas side. >>> Could you help me how to disable the validation that's happening on cas as >>> it's doing JWTvalidation like ST ticket ? It looks like after JWT is >>> generated, it's getting validated on cas. The generated URL has >>> redirected=true=JWT-ticket. May be that's causing the automatic >>> validation ? It looks like the jwt ticket is not even reaching client. So >>> can you please suggest how to stop the validation ? >>> >>> Thank you for your help. >>> >>> Regards, >>> srmudiganti >>> >>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d751869-1156-4321-be26-27054d2d4b35%40apereo.org.
[cas-user] Re: CAS JWT Service ticket validation getting failed
Hi Michele, Yes you are right, cas is not internally validating the JWT. The cas client which in my case is spring boot based web app which is using cas-client-autoconfig-support and with @EnableCasClient annotation. I am using the validation-type: CAS3 in the client. And when I authenticate against cas server, the cas is generating the JWT but the client is trying to validate the JWT like ST by sending it back to cas. Looks like the client is using Cas20ServiceTicketValidator to validate the JWT ticket which I think it should not. What changes did you do in client to not send it back to cas for validating ? Thanks, srmudiganti On Wednesday, February 6, 2019 at 3:50:04 AM UTC-5, Michele Melluso wrote: > > Hi, > > cas is not supposed at all to internally validate the JWT, since it should > be generated by cas only after the ST is internally validated, (as its > shown on the documentation flow diagram). > > When it happened to me, it was because i was using a cas client which was > applying the cas protocol providing back the ticket argument to the > validation endpoint of cas. > Could you check that you are not using any cas client and provide your app > code that you are using to validate the jwt? > > regards > Michele > > On Monday, February 4, 2019 at 7:24:23 PM UTC+1, srmudigan wrote: >> >> Hi Michele, >> >> I have gone through the link. But before I implement reading the token on >> client side, i need to disable the validation happening on cas side. Could >> you help me how to disable the validation that's happening on cas as it's >> doing JWTvalidation like ST ticket ? It looks like after JWT is generated, >> it's getting validated on cas. The generated URL has >> redirected=true=JWT-ticket. May be that's causing the automatic >> validation ? It looks like the jwt ticket is not even reaching client. So >> can you please suggest how to stop the validation ? >> >> Thank you for your help. >> >> Regards, >> srmudiganti >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5e85a0e-bedb-4fb5-a722-1067430ac784%40apereo.org.
[cas-user] Re: CAS JWT Service ticket validation getting failed
Hi, cas is not supposed at all to internally validate the JWT, since it should be generated by cas only after the ST is internally validated, (as its shown on the documentation flow diagram). When it happened to me, it was because i was using a cas client which was applying the cas protocol providing back the ticket argument to the validation endpoint of cas. Could you check that you are not using any cas client and provide your app code that you are using to validate the jwt? regards Michele On Monday, February 4, 2019 at 7:24:23 PM UTC+1, srmudigan wrote: > > Hi Michele, > > I have gone through the link. But before I implement reading the token on > client side, i need to disable the validation happening on cas side. Could > you help me how to disable the validation that's happening on cas as it's > doing JWTvalidation like ST ticket ? It looks like after JWT is generated, > it's getting validated on cas. The generated URL has > redirected=true=JWT-ticket. May be that's causing the automatic > validation ? It looks like the jwt ticket is not even reaching client. So > can you please suggest how to stop the validation ? > > Thank you for your help. > > Regards, > srmudiganti > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/adf9ce56-345e-4ec7-a03b-5747ed23fab2%40apereo.org.
[cas-user] Re: CAS JWT Service ticket validation getting failed
Hi Michele, I have gone through the link. But before I implement reading the token on client side, i need to disable the validation happening on cas side. Could you help me how to disable the validation that's happening on cas as it's doing JWTvalidation like ST ticket ? It looks like after JWT is generated, it's getting validated on cas. The generated URL has redirected=true=JWT-ticket. May be that's causing the automatic validation ? It looks like the jwt ticket is not even reaching client. So can you please suggest how to stop the validation ? Thank you for your help. Regards, srmudiganti -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb79d373-6d54-4ff6-9423-9b277ca79f56%40apereo.org.
[cas-user] Re: CAS JWT Service ticket validation getting failed
Hi srmudiganti, try to see if this helps: https://groups.google.com/a/apereo.org/d/msg/cas-user/2kby6bDGnoQ/J-AmktLCFgAJ regards Michele On Thursday, January 31, 2019 at 4:28:25 PM UTC+1, srmudigan wrote: > > Hi Michele, > > Thanks for your reply.I tried to authenticate CAS without client app and I > see it generated the jwt. I used the URL > https://localhost:8443/cas/login?service=https://www.example.org to > authenticate against cas. It generated the JWT ticket in the URL: > https://www.example.org/?ticket=eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cHM6XC9cL3d3dy5leGFtcGxlLm9yZyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMVQxMDoyMToyOS4wMjktMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5NzY4ODksImlhdCI6MTU0ODk0ODA4OSwianRpIjoiU1QtMS10VnNmZ0FPcjRIQkFNT3lTb0RlNThhV1pTR2ctTllDLTdMLTU1Nzg4MDAzIn0%3D.34JcJbiCipnTWNdKufWFeF1VwY77eYAPyqDh06MmqkQiOXYkzY9Iauo9BAy-aa2clwZLZYeSI2fMZgDjjm-_wA > > How do I turn off client app ? As I understand from your reply that > "validate the jwt as it was ST", it seems like it's happening same for me. > Can you please let me know how did you solved the issue ? When we use jwt, > whats the correct the way to use jwt ? I am using the service name in > service registry for which the jwt is getting generated, then jwt is > getting passed to the application URL in service registry with > redirect=true and ticket=generate-jwt but again it's getting validated > against cas and it's throwing service ticket does not exist. So my question > is where should we validate JWT ? on CAS server or client ? but it seems > the validation is automatically happening on cas server. Once jwt is > generated, why keep on getting ticket does not exist. > > Thanks in advance. > > Regards, > srmudiganti > > On Thursday, January 31, 2019 at 2:59:28 AM UTC-5, Michele Melluso wrote: >> >> Hi, >> >> that happened to me while i was attempting by mistake to validate the Jwt >> as if it was a ST. >> Actually Jwt is not intended to be validated against CAS, because its >> authenticity is granted by its signature ( >> https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html >> ). >> >> Could you try to authenticate over cas with your client app turned off >> and see if the Jwt is returned? >> >> cheers >> Michele >> >> >> On Wednesday, January 30, 2019 at 8:50:11 PM UTC+1, srmudigan wrote: >>> >>> Hi, >>> >>> I am using CAS overlay 5.2.x and I am trying to use JWT token for single >>> sign on. I configured the cas.properties with signing key and encryption >>> key. Also add the service json with keys. I see that JWT is getting >>> generated but seems like the validation is failing. I am new to the CAS, so >>> can any body please let me know how do we validate the JWT on CAS server. I >>> see the following audit trail: >>> >>> WHO: audit:unknown >>> WHAT: [event=success,timestamp=Wed Jan 30 13:25:36 EST >>> 2019,source=RankedAuthenticationProviderWebflowEventResolver] >>> ACTION: AUTHENTICATION_EVENT_TRIGGERED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:25:36 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: Supplied credentials: [testuser] >>> ACTION: AUTHENTICATION_SUCCESS >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:03 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: >>> TGT-1-*o9ZO9-5-lg-hostname >>> ACTION: TICKET_GRANTING_TICKET_DESTROYED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:04 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: >>> TGT-1-*9AvnnUJ-eU-hostname >>> ACTION: TICKET_GRANTING_TICKET_CREATED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:04 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname for >>> http://localhost:8080/appname >>> ACTION: SERVICE_TICKET_CREATED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:04 EST 2019 >>> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >>> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >>> >>> WHO: testuser >>> WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname >>> ACTION: SERVICE_TICKET_VALIDATED >>> APPLICATION: CAS >>> WHEN: Wed Jan 30 13:27:05 EST 2019 >>> CLIENT IP ADDRESS: 127.0.0.1 >>> SERVER IP ADDRESS: 127.0.0.1 >>> >>> Then I see this failed message (service ticket doesn't exist): >>> >>> 2019-01-30
[cas-user] Re: CAS JWT Service ticket validation getting failed
Hi Michele, Thanks for your reply.I tried to authenticate CAS without client app and I see it generated the jwt. I used the URL https://localhost:8443/cas/login?service=https://www.example.org to authenticate against cas. It generated the JWT ticket in the URL: https://www.example.org/?ticket=eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cHM6XC9cL3d3dy5leGFtcGxlLm9yZyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMVQxMDoyMToyOS4wMjktMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5NzY4ODksImlhdCI6MTU0ODk0ODA4OSwianRpIjoiU1QtMS10VnNmZ0FPcjRIQkFNT3lTb0RlNThhV1pTR2ctTllDLTdMLTU1Nzg4MDAzIn0%3D.34JcJbiCipnTWNdKufWFeF1VwY77eYAPyqDh06MmqkQiOXYkzY9Iauo9BAy-aa2clwZLZYeSI2fMZgDjjm-_wA How do I turn off client app ? As I understand from your reply that "validate the jwt as it was ST", it seems like it's happening same for me. Can you please let me know how did you solved the issue ? When we use jwt, whats the correct the way to use jwt ? I am using the service name in service registry for which the jwt is getting generated, then jwt is getting passed to the application URL in service registry with redirect=true and ticket=generate-jwt but again it's getting validated against cas and it's throwing service ticket does not exist. So my question is where should we validate JWT ? on CAS server or client ? but it seems the validation is automatically happening on cas server. Once jwt is generated, why keep on getting ticket does not exist. Thanks in advance. Regards, srmudiganti On Thursday, January 31, 2019 at 2:59:28 AM UTC-5, Michele Melluso wrote: > > Hi, > > that happened to me while i was attempting by mistake to validate the Jwt > as if it was a ST. > Actually Jwt is not intended to be validated against CAS, because its > authenticity is granted by its signature ( > https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html > ). > > Could you try to authenticate over cas with your client app turned off and > see if the Jwt is returned? > > cheers > Michele > > > On Wednesday, January 30, 2019 at 8:50:11 PM UTC+1, srmudigan wrote: >> >> Hi, >> >> I am using CAS overlay 5.2.x and I am trying to use JWT token for single >> sign on. I configured the cas.properties with signing key and encryption >> key. Also add the service json with keys. I see that JWT is getting >> generated but seems like the validation is failing. I am new to the CAS, so >> can any body please let me know how do we validate the JWT on CAS server. I >> see the following audit trail: >> >> WHO: audit:unknown >> WHAT: [event=success,timestamp=Wed Jan 30 13:25:36 EST >> 2019,source=RankedAuthenticationProviderWebflowEventResolver] >> ACTION: AUTHENTICATION_EVENT_TRIGGERED >> APPLICATION: CAS >> WHEN: Wed Jan 30 13:25:36 EST 2019 >> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >> >> WHO: testuser >> WHAT: Supplied credentials: [testuser] >> ACTION: AUTHENTICATION_SUCCESS >> APPLICATION: CAS >> WHEN: Wed Jan 30 13:27:03 EST 2019 >> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >> >> WHO: testuser >> WHAT: >> TGT-1-*o9ZO9-5-lg-hostname >> ACTION: TICKET_GRANTING_TICKET_DESTROYED >> APPLICATION: CAS >> WHEN: Wed Jan 30 13:27:04 EST 2019 >> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >> >> WHO: testuser >> WHAT: >> TGT-1-*9AvnnUJ-eU-hostname >> ACTION: TICKET_GRANTING_TICKET_CREATED >> APPLICATION: CAS >> WHEN: Wed Jan 30 13:27:04 EST 2019 >> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >> >> WHO: testuser >> WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname for >> http://localhost:8080/appname >> ACTION: SERVICE_TICKET_CREATED >> APPLICATION: CAS >> WHEN: Wed Jan 30 13:27:04 EST 2019 >> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >> >> WHO: testuser >> WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname >> ACTION: SERVICE_TICKET_VALIDATED >> APPLICATION: CAS >> WHEN: Wed Jan 30 13:27:05 EST 2019 >> CLIENT IP ADDRESS: 127.0.0.1 >> SERVER IP ADDRESS: 127.0.0.1 >> >> Then I see this failed message (service ticket doesn't exist): >> >> 2019-01-30 13:27:05,396 DEBUG >> [org.apereo.cas.AbstractCentralAuthenticationService] - > decode service ticket >>
[cas-user] Re: CAS JWT Service ticket validation getting failed
Hi, that happened to me while i was attempting by mistake to validate the Jwt as if it was a ST. Actually Jwt is not intended to be validated against CAS, because its authenticity is granted by its signature (https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html). Could you try to authenticate over cas with your client app turned off and see if the Jwt is returned? cheers Michele On Wednesday, January 30, 2019 at 8:50:11 PM UTC+1, srmudigan wrote: > > Hi, > > I am using CAS overlay 5.2.x and I am trying to use JWT token for single > sign on. I configured the cas.properties with signing key and encryption > key. Also add the service json with keys. I see that JWT is getting > generated but seems like the validation is failing. I am new to the CAS, so > can any body please let me know how do we validate the JWT on CAS server. I > see the following audit trail: > > WHO: audit:unknown > WHAT: [event=success,timestamp=Wed Jan 30 13:25:36 EST > 2019,source=RankedAuthenticationProviderWebflowEventResolver] > ACTION: AUTHENTICATION_EVENT_TRIGGERED > APPLICATION: CAS > WHEN: Wed Jan 30 13:25:36 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: Supplied credentials: [testuser] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:03 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: > TGT-1-*o9ZO9-5-lg-hostname > ACTION: TICKET_GRANTING_TICKET_DESTROYED > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:04 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: > TGT-1-*9AvnnUJ-eU-hostname > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:04 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname for > http://localhost:8080/appname > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:04 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname > ACTION: SERVICE_TICKET_VALIDATED > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:05 EST 2019 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > > Then I see this failed message (service ticket doesn't exist): > > 2019-01-30 13:27:05,396 DEBUG > [org.apereo.cas.AbstractCentralAuthenticationService] - decode service ticket > [eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g] > > to verify authenticity> > 2019-01-30 13:27:05,396 WARN > [org.apereo.cas.DefaultCentralAuthenticationService] - [eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g] > > does not exist.> > > WHO: audit:unknown > WHAT: >