Newbie question, about CAS proxy and phpCAS

64 views
Skip to first unread message

Daniel Hui

unread,
Aug 1, 2019, 10:01:28 PM8/1/19
to CAS Community
Hey guys, I am building an API that requires CAS authentication, and the client which calls the API also needs the CAS authentication. After some Googling, I find out the proxy function suits my use and I want to implement it using phpCAS in my API and also build a simulate client to test my API for CAS authentication. But I cannot find any pratical example on the internet. May I get some help from you guys to show me some examples to implement this? I need some kind of clear logic and clear codes to help me understand this. I do not fully understand what is a CAS proxy, and what can it do.

https://apereo.github.io/cas/5.0.x/installation/Configuring-Proxy-Authentication.html

p.s.: I have CAS implementation experience before, which build a website that supports CAS.

Thanks for the help

Doug Campbell

unread,
Aug 1, 2019, 10:47:02 PM8/1/19
to cas-...@apereo.org

Daniel,

 

Have you taken a lot at the phpCAS examples at https://github.com/apereo/phpCAS/tree/master/docs/examples?  They are really detailed with a lot of comments explaining what is happening and even mentioning what things should be for testing and what should be removed when deploying in a production environment.

 

Doug

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/17c31784-1dd3-43ac-8989-14df184e425f%40apereo.org.

Message has been deleted
Message has been deleted

Daniel Hui

unread,
Aug 1, 2019, 10:52:05 PM8/1/19
to CAS Community

Hi Doug,
May I know which examples suit the use for me? One script for the API and another one for the Proxy. Thanks.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

Doug Campbell

unread,
Aug 1, 2019, 10:57:15 PM8/1/19
to cas-...@apereo.org

Daniel,

 

I would recommend “getting your feet wet” first by working with the example_simple.php script.  Make sure to get this one working with your CAS server first and then build from there by working with the example_service.php which could act like your CAS protected API service and example_proxy_GET.php which could act like the client wanting to access your API.

 

Doug

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Daniel Hui


Sent: Friday, August 2, 2019 10:50 AM
To: CAS Community <cas-...@apereo.org>

Subject: Re: [cas-user] Newbie question, about CAS proxy and phpCAS

 

Hi Doug,

May I know which examples suit the use for me? One script for the API and another one for the Proxy. Thanks.

On Friday, 2 August 2019 10:47:02 UTC+8, Doug C wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Daniel Hui

unread,
Aug 1, 2019, 11:09:32 PM8/1/19
to CAS Community
Thanks for the advice, I am trying those scripts, but they are not working, do I miss something?

Here is my code, with some modifications for the original examples
example_proxy_GET.php:
<?php
require_once('../vendor/autoload.php');
require_once('config.php');
$filename = 'debug.log';
phpCAS::setDebug($filename);
phpCAS::setVerbose(true);
phpCAS::proxy(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context);
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication(); //it shows me authentication fails at this line of code
flush();
try {
$service = phpCAS::getProxiedService(PHPCAS_PROXIED_SERVICE_HTTP_GET);
$service->setUrl("my_API_URL");//change it to my API URL to call the API
$service->send();
if ($service->getResponseStatusCode() == 200) {
echo '<div class="success">';
echo $service->getResponseBody();
echo '</div>';
} else {
echo '<div class="error">';
echo 'The service responded with a '
. $service->getResponseStatusCode() . ' error.';
echo '</div>';
}
} catch (CAS_ProxyTicketException $e) {
if ($e->getCode() == PHPCAS_SERVICE_PT_FAILURE) {
echo '<div class="error">';
echo "Your login has timed out. You need to log in again.";
echo '</div>';
} else {
throw $e;
}
} catch (CAS_ProxiedService_Exception $e) {
echo "test";
throw $e;
}
?>
</body>
</html>

example_service.php:(if I just call this directly, it works)
<?php
require_once '../test/config.php';
require_once('../vendor/autoload.php');
$filename = 'debug.log';
echo "TEST">$filename;
phpCAS::setDebug($filename);
phpCAS::setVerbose(true);
phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context); //load from config
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();
//phpCAS::allowProxyChain(new CAS_ProxyChain_Any); //I have disabled this because I do not need to chain this service to another service
echo '<p>The user\'s login is <b>' . phpCAS::getUser() . '</b>.</p>';
// increment the number of requests of the session and print it
if (!isset($_SESSION['n'])) {
$_SESSION['n'] = 0;
}
echo '<p>request #' . (++$_SESSION['n']) . '</p>';
?>

Thanks for your kind help and quick reply 

Doug Campbell

unread,
Aug 1, 2019, 11:14:12 PM8/1/19
to cas-...@apereo.org

Did you first get the example_simple.php script working?  If not, do that first.  If you have I have often found that looking in the debug.log informs me as to what is going wrong and would suggest you look there.  Also, I don’t think you mentioned which version of the CAS server you are running.  If you are running an older version of the CAS server, you may not be running version 3.0 of the CAS protocol.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8d7b972-42a3-46fc-b4e9-e3f283b14e6c%40apereo.org.

Daniel Hui

unread,
Aug 1, 2019, 11:18:09 PM8/1/19
to CAS Community
example_simple.php script does run for me with CAS version 3.0. And the debug info doesn't log the request if I am accessing using the URL, it only logs the request if I run it directly using php in the console. Any hints? Or do I need other things to set up properly?

Doug Campbell

unread,
Aug 1, 2019, 11:24:23 PM8/1/19
to cas-...@apereo.org

Perhaps your web server doesn’t have write permissions to the location your debug.log is being written.  Usually it is a good idea to create a subdirectory that gives such rights to the web server and then tell the script to put the debug.log there.  I think a simple work around for the time being would be to change the permissions on the current debug.log file to give the web server ownership of it.  If the file doesn’t exist yet, touch it, and then transfer ownership.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/83f6f0e5-ba53-4c45-af43-033e651165df%40apereo.org.

Daniel Hui

unread,
Aug 1, 2019, 11:31:04 PM8/1/19
to CAS Community
I have checked the log by directly calling the client(example_proxy_GET.php) 
And the problem is when the proxy trying to send the service URL to register in the CAS server, the pgt is missing, any hints to solve this problem?

Doug Campbell

unread,
Aug 2, 2019, 1:12:32 AM8/2/19
to cas-...@apereo.org

This is probably the same issue as the debug.log files.  The web server must have the ability to read/write the location where the proxy granting tickets are stored.  There is probably some indication of this in the debug.log.

 

OR

 

Did you configure the CAS server to allow this service to proxy authentication?  See https://apereo.github.io/cas/5.0.x/installation/Configuring-Service-Proxy-Policy.html.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0c542ea-9fd0-44ea-8264-f6f8399cf099%40apereo.org.

Daniel Hui

unread,
Aug 2, 2019, 2:53:49 AM8/2/19
to CAS Community
sorry I made some mistakes in the previous reply, let me clarify what I have found now:
Now in the client side(example_proxy_GET.php) I am able to generate the log for each access from the browser.
And I found that when the client is trying to validate the service + ticket, the CAS server response INVALID_PROXY_CALLBACK
What will be the possible cause for this?
Thank you VERY VERY MUCH to help me solve this issue, this problem has been confusing me for a week.

This is the log after 2nd login(first log in attempt is failed, then I click refresh to renew a ticket):
1C47 .START (2019-08-02 14:39:33) phpCAS-1.3.7 ****************** [CAS.php:475]
1C47 .=> phpCAS::proxy('3.0', 'MY_CAS_SERVER', 443, '/cas') [index.php:8]
1C47 .| => CAS_Client::__construct('3.0', true, 'MY_CAS_SERVER', 443, '/cas', true) [CAS.php:410]
1C47 .| | Starting a new session f9ac10f86d86edb204698c756da2059a [Client.php:932]
1C47 .| | Session is not authenticated [Client.php:938]
1C47 .| | Ticket 'ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' found [Client.php:1015]
1C47 .| <= ''
1C47 .<= ''
1C47 .=> phpCAS::setNoCasServerValidation() [index.php:9]
1C47 .| You have configured no validation of the legitimacy of the cas server. This is not recommended for production use. [CAS.php:1664]
1C47 .<= ''
1C47 .=> phpCAS::forceAuthentication() [index.php:11]
1C47 .| => CAS_Client::forceAuthentication() [CAS.php:1120]
1C47 .| | => CAS_Client::isAuthenticated() [Client.php:1275]
1C47 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1387]
1C47 .| | | | neither user nor PGT found [Client.php:1606]
1C47 .| | | <= false
1C47 .| | | CAS 3.0 ticket `ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' is present [Client.php:1440]
1C47 .| | | => CAS_Client::validateCAS20('', NULL, NULL, false) [Client.php:1443]
1C47 .| | | | [Client.php:3159]
1C47 .| | | | => CAS_Client::getServerServiceValidateURL() [Client.php:3165]
1C47 .| | | | | => CAS_Client::getURL() [Client.php:453]
1C47 .| | | | | | Final URI: MY_CLIENT_URL [Client.php:3528]
1C47 .| | | | | <= 'https://MY_CLIENT/test/'
1C47 .| | | | <= 'https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT'
1C47 .| | | | => CAS_Client::_readURL('https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT', NULL, NULL, NULL) [Client.php:3180]
1C47 .| | | | | => CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:242]
1C47 .| | | | | | Response Body:
1C47 .| | | | | | <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
1C47 .| | | | | | <cas:authenticationFailure code="INVALID_PROXY_CALLBACK">The supplied proxy callback url &#39;MY_CLIENT_URL&#39; could not be authenticated. Either &#39;MY_CLIENT_URL&#39; cannot be reached, it is not allowed to exercise proxy authentication.</cas:authenticationFailure>
1C47 .| | | | | | </cas:serviceResponse>
1C47 .| | | | | |
1C47 .| | | | | | [CurlRequest.php:84]
1C47 .| | | | | <= true
1C47 .| | | | <= true
1C47 .| | | | => CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not validated', 'https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL', false, false, '<cas:serviceResponse xmlns:cas=\'http://www.yale.edu/tp/cas\'> <cas:authenticationFailure code="INVALID_PROXY_CALLBACK">The supplied proxy callback url &#39;MY_CLIENT_URL&#39; could not be authenticated. Either &#39;MY_CLIENT_URL&#39; cannot be reached, it is not allowed to exercise proxy authentication.</cas:authenticationFailure></cas:serviceResponse>', 'INVALID_PROXY_CALLBACK', 'The supplied proxy callback url \'MY_CLIENT_URL\' could not be authenticated. Either \'MY_CLIENT_URL\' cannot be reached, it is not allowed to exercise proxy authentication.') [Client.php:3226]
1C47 .| | | | | => CAS_Client::getURL() [AuthenticationException.php:77]
1C47 .| | | | | <= 'MY_CLIENT_URL'
1C47 .| | | | | CAS URL: https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL [AuthenticationException.php:80]
1C47 .| | | | | Authentication failure: Ticket not validated [AuthenticationException.php:81]
1C47 .| | | | | Reason: [INVALID_PROXY_CALLBACK] CAS error: The supplied proxy callback url 'MY_CLIENT_URL' could not be authenticated. Either 'MY_CLIENT_URL/' cannot be reached, it is not allowed to exercise proxy authentication. [AuthenticationException.php:97]
1C47 .| | | | | CAS response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
1C47 .| | | | | <cas:authenticationFailure code="INVALID_PROXY_CALLBACK">The supplied proxy callback url &#39;MY_CLIENT_URL&#39; could not be authenticated. Either &#39;MY_CLIENT_URL&#39; cannot be reached, it is not allowed to exercise proxy authentication.</cas:authenticationFailure>
1C47 .| | | | | </cas:serviceResponse>
1C47 .| | | | | [AuthenticationException.php:102]
1C47 .| | | | | exit()
1C47 .| | | | | -
1C47 .| | | | -
1C47 .| | | -

Daniel Hui

unread,
Aug 2, 2019, 2:54:36 AM8/2/19
to CAS Community
side note, the CAS server is not operated by me, but I think it has the proxy function provided

Doug Campbell

unread,
Aug 2, 2019, 3:05:22 AM8/2/19
to cas-...@apereo.org

Are you testing this on an internal server that isn’t accessible to the CAS server?

 

The following is in your debug log:

 

The supplied proxy callback url &#39;MY_CLIENT_URL&#39; could not be authenticated. Either &#39;MY_CLIENT_URL&#39; cannot be reached, it is not allowed to exercise proxy authentication

 

If your MY_CLIENT_URL is not accessible from the CAS server then it will not be able to contact the callback server which in your scenario is the same as your client URL.  Either that or the CAS server does not have a service registered for your service API that allows proxy authentication.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a779f89-51e6-467f-ad96-03bde8022022%40apereo.org.

Daniel Hui

unread,
Aug 5, 2019, 9:19:05 PM8/5/19
to CAS Community
I find the following setences in the documentation(https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html):
If the callback URL is authorized by the service registry, and if the endpoint is under HTTPS and protected by an SSL certificate, CAS will also attempt to verify the validity of the endpoint’s certificate before it can establish a successful connection. If the certificate is invalid, expired, missing a step in its chain, self-signed or otherwise, CAS will fail to execute the callback.
If I didn't misunderstand this, so I have to ask my CAS server to register the proxy service for my CAS proxy implementation domain first? So this is the reason that I am unable to validate the ticket?

Thank you again for your kind help, although my problem is still not solved yet but at least I know I am on the right track in figuring out what is going wrong in here.
Reply all
Reply to author
Forward
0 new messages