CAS 5.2 return JWT for service

[William E.]

Hi all,

I am trying to follow the CAS docs to configure a service to return jwt's but not having much success. 

Docs I am reading on this:

 https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html

 

 https://apereo.github.io/2017/10/17/cas-jwt-authn-with-duo/ (JWT Service Tickets portion)

My cas.properties has:

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.encryptionEnabled=true

cas.authn.token.crypto.signing.key=/etc/cas/config/token-signing.jwk

cas.authn.token.crypto.signing.keySize=512

cas.authn.token.crypto.encryption.key=/etc/cas/config/token-encryption.jwk

cas.authn.token.crypto.encryption.keySize=256

cas.authn.token.crypto.alg=AES

jwk's generated per docs:

wget https://raw.githubusercontent.com/apereo/cas/master/etc/jwk-gen.jar

java -jar jwk-gen.jar -t oct -s 512 >/etc/cas/config/token-signing.jwk

java -jar jwk-gen.jar -t oct -s 256 >/etc/cas/config/token-encryption.jwk

$ file /etc/cas/config/token*

/etc/cas/config/token-encryption.jwk: ASCII text

/etc/cas/config/token-signing.jwk: ASCII text

Using maven overlay, my pom.xml has the rest snippet:

<dependency>

<groupId>org.apereo.cas</groupId>

<artifactId>cas-server-support-token-tickets</artifactId>

<version>${cas.version}</version>

</dependency>

My service has the jwt as ticket property:

properties:

{

@class: java.util.LinkedHashMap

jwtAsServiceTicket:

{

@class: org.apereo.cas.services.DefaultRegisteredServiceProperty

values:

[

java.util.HashSet

[

"true"

]

]

}

}

In the CAS CLI I can generate a jwt that appears valid. But when I use my service via web browser I see no header or cookie referencing a ticket with JWT- prefix, nor a jwt formatted base64 string, I just see the normal ST- ticket. I'm using a simple tomcat webapp wit cas client filters and java-cas-client 3.5.0. 

Anyone made JWT's work yet for cas 5.2.3?  Any idea what step I missed?

Thanks,

William

[Cristina Vlaicu]

Rhfbc

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ce63d92-fef6-41c4-9167-9c388f73d3e7%40apereo.org.

[William E.]

Posting resolution in hopes it may help someone else out.

In cas 5.2 you are supposed to use the jat property jwtAsServiceTicket but it looks like there may be a bug in cas where you need to use the (deprecated) jwtAsResponse instead.

properties : {

    "@class" : "java.util.HashMap",

    "jwtAsResponse" : {

      "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",

      "values" : [ "java.util.HashSet", [ "true" ] ]

    }

  }

Additionally, my bad on this one from misunderstanding the cas documents, the 

cas.authn.token.crypto.encryption.key and cas.authn.token.crypto.signing.key accept key values directly, not file paths to files containing the keys.  

Anyway, much thanks to Paul at Unicon for all his help.  Support money well spent.

-William