CAS Protocol Specification Question

[John Bellassai]

Hi,

I'm reading the protocol specification here: https://apereo.github.io/cas/5.3.x/protocol/CAS-Protocol-Specification.html.

In Section 2.6.2 there are example XML and JSON responses and a note which reads

when authentication has proceeded through multiple proxies, the order in which the proxies were traversed MUST be reflected in the block. The most recently-visited proxy MUST be the first proxy listed, and all the other proxies MUST be shifted down as new proxies are added. In the above example, the service identified by <https://proxy1/pgtUrl> was visited first, and that service proxied authentication to the service identified by <https://proxy2/pgtUrl>

 The XML example appears to follow this requirement, but the JSON does not. Specifically, the JSON list is [ "https://proxy1/pgtUrl", "https://proxy2/pgtUrl" ], but the way I read the requirement it should be [ "https://proxy2/pgtUrl", "https://proxy1/pgtUrl" ].

Another thing is that I'm having a difficult time visualizing a scenario where authentication would proceed through multiple proxies.  Does anyone have an example scenario to enlighten me?

Thanks!

John