Using CAS for API endpoints

[James A. Rosen]

I'm looking into options for extracting the authentication logic from several applications (mostly Rails). I remember CAS from a previous job (indeed, I wrote a Rack middleware for CAS authentication a while back: https://github.com/jamesarosen/casrack_the_authenticator) and would to use it if possible. The problem is that each of the apps needs to support *several* authentication methods. One of them is the "happy CAS path" wherein the app shows a form to browsers and then sets a cookie. Others include HTTP headers and HTTP Basic Authentication (for API requests). Has anyone deployed CAS to support multiple authentication methods? In these other cases, the credentials are sent with every request and there shouldn't be any cookies. I don't see how to make that work with CAS.

It's possible that this thread (https://groups.google.com/forum/?fromgroups=#!topic/rubycas-server/Ax8-TLYyA58) started by Marvin Addison is similar. This thread (https://groups.google.com/d/topic/rubycas-server/6bkG9nQjttw/discussion) started by Phil Ostler also bears some resemblance, but there he controls the clients, whereas in my case, they are arbitrary HTTP clients.

[Adam Crownoble]

Hi James,

I'm afraid I don't have much advice to give to you. But since I ran into your post I just wanted to say thank you for the work you did on casrack_the_authenticator. I know it's been a while since you've updated it but I really appreciated the simple approach you took which wound up being my main source of inspiration for my own Rack CAS middleware (https://github.com/biola/rack-cas).

Hope you can find a good authentication solution that works for your situation.

- Adam