Force Reauthentication for OAuth Protocol CAS 5.3.x

29 views
Skip to first unread message

Justin Isenhour

unread,
Jul 24, 2019, 5:14:21 PM7/24/19
to CAS Community
Hello,

We have a new application that we have set up SSO with using OAuth protocol.  This application has some HIPAA related information and they have a concern around the logout handling for their application.  The basic flow is as follows:  User goes to the site, user isn't authenticated and gets redirected to CAS login page. User authenticates and ends up at application.  When the user logs out of that application the app sessions are destroyed but CAS session still exists.  If the user (or some other user) goes back the app, because they still have a valid SSO session, the user is not challenged for credentials and gets right back into the app.  Is there a way to force a service to require authentication every time?  I found a blog artice describing force reauth using CAS protocol but I do not see support for this in OAuth.  Is there a way to achieve this currently for OAuth services?

Thanks,
Justin Isenhour

Ray Bon

unread,
Jul 24, 2019, 5:58:11 PM7/24/19
to cas-...@apereo.org
Justin,

Your application can call /cas/logout when it destroys its local session (if you can edit the application or its config).

Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Justin Isenhour

unread,
Jul 24, 2019, 8:26:58 PM7/24/19
to CAS Community
Hey Ray,

Thanks for the suggestion.  I had considered that, my concern with this approach is that it would end the SSO session for the user across the board, forcing them to reauthenticate for all apps, not just this one.  This may end up being the solution but my hope is to find a solution that will force a single OAuth service to authenticate everytime while allowing other services to continue with SSO

Andy Ng

unread,
Jul 25, 2019, 11:13:59 AM7/25/19
to CAS Community
Hi Justin,

I think when you say CAS protocol can use ssoEnabled  (https://apereo.github.io/cas/5.3.x/installation/Configuring-Service-Access-Strategy.html) to enabled / disabled sso.

I have once altered CAS to make OAuth protocol also support ssoEnabled, although it is a big of a hack so I didn't brother submitting PR

Unfortunately, I don't have the modified code at hand so I am just going to explain my flow with you in text, see if will help you:

- First, Why this ssoEnabled didn't work for OAuth service is because when the ssoEnabled specified in your actual service, (let say: https://www.example.com/oauth-service), didn't actual take effect
   - It is the generic OAuth service (i.e. https://www.your-cas-server.com/cas/oauth2.0/...) that generated by CAS that looked at the ssoEnabled flag
- In other word, normally if you make your service https://www.example.com/oauth-service: ssoEnabled=false, it will have no effect
   - But if you override the generated OAuth service, which is https://www.your-cas-server.com/cas/oauth2.0/.. (I forget the exact path...), and set ssoEnabled=false, ssoEnabled will be disabled as expected

- But here's a tricky point: You won't always want all OAuth to be ssoEnabled=false
   - So what I did was, in the place where CAS service look at ssoEnabled, I do some calculation and replace the to be seen https://www.your-cas-server.com/cas/oauth2.0/... ssoEnabled settings with https://www.example.com/oauth-service settings.
   - Then this way, the ssoEnabled defined to https://www.example.com/oauth-service will also take effect as expected.


See if other have better method to do this OAuth Force Reauthentication, because I think my method is kind of dirty so if there are better method you should use those first.

Hope this info helps you.

Cheers!
- Andy

Reply all
Reply to author
Forward
0 new messages