CAS SSO to Moodle Web Service token flow

[CITLALLI ITZEL SANTIAGO PALMERO]

Hi,

I’m validating an integration architecture between CAS, Moodle, and an external application.

Current setup:
- IdP: CAS
- SP: Moodle (CAS-only authentication)
- Client: External web app (not Moodle Mobile)
- Backend: We can run our own BFF/server, but we cannot modify Moodle core/plugins or do deep Moodle server changes.

Goal:
After a student signs in via CAS SSO, our external app should call Moodle Web Services as that same student (e.g., assignment/file operations), ideally using a per-user Moodle WS token.

Constraint:
Because authentication is SSO-based, our app does not collect the student password, so standard Moodle token flows based on username/password are not usable.

Questions:
1) CAS proxying:
   Does CAS Proxy Protocol (PGT/PT) help in this scenario? Can CAS issue something that Moodle can exchange for a user WS token without Moodle custom development?
Or does CAS impersonation works? 

2) Responsibility boundary:
   Is this correct?
   - CAS can assert identity/authentication.
   - Moodle alone controls WS token issuance/acceptance.
   - Therefore CAS cannot directly mint or force Moodle WS user tokens unless Moodle explicitly supports that bridge.

3) Recommended pattern:
   With these constraints, is there a supported pattern (CAS/OIDC/OAuth bridge) to achieve per-user Moodle API access from an external app, or is Moodle-side implementation required?

My current assumption is that this requires Moodle-side support (or a different integration approach), and I want to confirm, As my team keeps pushing this is a CAS only problem and i'm so lost.

Thanks.

--------------------------------------------------------------------------------------------------------------

Visita la pagina de la UAM Azcapotzalco (https://www.azc.uam.mx)

Este mensaje y sus anexos pueden contener información confidencial. Si usted no es el destinatario de este mensaje, se le notifica que cualquier revisión, retransmisión, distribución, copiado u otro uso o acto realizado con base en o relacionado con el contenido de este mensaje y sus anexos, están prohibidos. Si usted ha recibido este mensaje y sus anexos por error, le suplicamos lo notifique al remitente respondiendo el presente correo electrónico y borre el presente y sus anexos de su sistema sin conservar copia de los mismos. Muchas gracias.

This message and the attachments to it may contain information which is confidential. if your are not the intended recipient(s) for this message, you are on notice that any review, retransmission, dissemination, distribution, copying orother use or taking any action based upon or relative to the information contained in this message and its attachments, is prohibited. If you are not the intended recipient(s) of this message or its attachments, please immediately advise the sender by reply e-mail and delete this message and its attachments from your system without keeping a copy. Thank you.

[Ray Bon]

If the per user WS token is long lasting, perhaps you could store it as an attribute. Cas could return it to the web app at authentication time.

If the WS token is ephemeral, PGT might work.

When the web app wants to connect to moodle or bff server, it uses the PGT to get a PT from cas.

The web app will send the PT to the target application with a request (say generate WS token page). 

The target application will validate the PT with cas and get a userId (and perhaps attributes).

Once validated, moodle / bff will / should perform the request as the userId 

So can a user generate their own token (ideally in a single POST, though the above steps could be repeated for a workflow)?

You would have to configure the web app and moodle / bff as proxy services in the cas service registry.

This discussion sounds similar https://moodle.org/mod/forum/discuss.php?d=421554

PGT docs https://apereo.github.io/cas/7.3.x/authentication/Configuring-Proxy-Authentication.html

If you are very desperate, there is ClearPass. Heed the warning on this page https://apereo.github.io/cas/7.3.x/integration/ClearPass.html

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of CITLALLI ITZEL SANTIAGO PALMERO <al2182...@azc.uam.mx>
Sent: February 12, 2026 11:56
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS SSO to Moodle Web Service token flow

 

You don't often get email from al2182...@azc.uam.mx. Learn why this is important

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/39eb931a-c508-4d85-a207-d152069d62a1n%40apereo.org.

[CITLALLI ITZEL SANTIAGO PALMERO]

Hi Ray,

Thank you so much for your response. It really sheds light on the problem and the available options.

I'll discuss this with my team to decide the best approach. Thanks again!