CAS and OAuth interoperability

110 views
Skip to first unread message

Lewis Henderson

unread,
Nov 15, 2016, 7:31:45 AM11/15/16
to CAS Community
Everything is Spring Cloud based.

I have a CAS 5.0.0 service sitting behind a Zuul Gateway.

All the OAuth secured applications work properly!


I have an external CAS client that needs to talk to an OAuth resource server behind Zuul via a proxyTicket.

The CAS client successfully authenticates against the Gateway and receives it's proxyTicket and needs to now get a Bearer token to talk to the resource server.

How do I go about this? Is the proxyTicket equivalent to the Bearer token, can I just pass that on?

I'm so close!!!!



Cheers

Lewis Henderson

unread,
Nov 15, 2016, 9:11:01 AM11/15/16
to CAS Community
Ok,

So after trying with a new proxyTicket, it fails with 

2016-11-15T13:54:11.561707727Z java.lang.ClassCastException: Ticket [PT-74-1LaIaLLzAZaJBte9SXzU-f63a5c259f31 is of type class org.apereo.cas.ticket.ProxyTicketImpl when we were expecting interface org.apereo.cas.ticket.accesstoken.AccessToken

understandably!

So, now the question is, how do I swap a CAS ticket for a OAuth token?


Cheers

Dmitriy Kopylenko

unread,
Nov 15, 2016, 9:23:50 AM11/15/16
to cas-...@apereo.org, Lewis Henderson
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b7a656-07e7-41f4-8088-098b4815b245%40apereo.org.

Lewis Henderson

unread,
Nov 15, 2016, 10:04:06 AM11/15/16
to CAS Community, lewis.h...@cobraflow.com, dkopy...@unicon.net
Hi Dimitriy,

I'm not sure how that will help me.

I'm in an application that has currently authenticated and the SecurityContextHolder contains a CasAuthenticationToken.

The application is also 'wired' for OAuth.

I would like to forward the current request on to an OAuth2 resource service. I assume that I need to remove the ticket parameter and add a Bearer authorization header. It is the value of this header that I need to retrieve.

It would be nice if I could do it in a similar way to the CasAuthenticationToken.getAssertion().getPrincipal().getProxyTicketFor("xxxxxxx") does for cas proxy tickets...


Cheers

Dmitriy Kopylenko

unread,
Nov 15, 2016, 11:11:02 AM11/15/16
to cas-...@apereo.org, Lewis Henderson, lewis.h...@cobraflow.com
That would probably be a question for Jérôme

D.


From: Lewis Henderson <lewis.h...@cobraflow.com>
Reply: cas-...@apereo.org <cas-...@apereo.org>
Date: November 15, 2016 at 10:04:13 AM
To: CAS Community <cas-...@apereo.org>
Cc: lewis.h...@cobraflow.com <lewis.h...@cobraflow.com>, dkopy...@unicon.net <dkopy...@unicon.net>
Subject:  Re: [cas-user] Re: CAS and OAuth interoperability
Hi Dimitriy,

I'm not sure how that will help me.

I'm in an application that has currently authenticated and the SecurityContextHolder contains a CasAuthenticationToken.

The application is also 'wired' for OAuth.

I would like to forward the current request on to an OAuth2 resource service. I assume that I need to remove the ticket parameter and add a Bearer authorization header. It is the value of this header that I need to retrieve.

It would be nice if I could do it in a similar way to the CasAuthenticationToken.getAssertion().getPrincipal().getProxyTicketFor("xxxxxxx") does for cas proxy tickets...


Cheers

On Tuesday, 15 November 2016 14:23:50 UTC, Dmitriy Kopylenko wrote:

Lewis Henderson

unread,
Nov 15, 2016, 1:19:01 PM11/15/16
to CAS Community, lewis.h...@cobraflow.com, dkopy...@unicon.net
Probably the cleanest way of doing this is to create RunAsManagers. One to convert an OAuth2Authentication to a CasAuthenticationToken and one to do the opposite.

Does anyone think that this is the correct method? 

Jérôme LELEU

unread,
Nov 15, 2016, 5:32:51 PM11/15/16
to CAS Community, lewis.h...@cobraflow.com, Dmitriy Kopylenko
Hi,

About CAS and OAuth interoperability, I would not try to change a proxy ticket into an access token or any other conversion (though I think this may be achieved as they carry similar information).

The point is that the OAuth UI flows (authorization code, implicit) delegate the login process to CAS, so if you are already CAS authenticated, you will be automatically authenticated for OAuth.

Does it help?

Thanks.
Best regards,
Jérôme


To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/423b55fe-bcb1-4010-bcc5-3fbfe1fec361%40apereo.org.

Lewis Henderson

unread,
Nov 16, 2016, 2:36:43 AM11/16/16
to CAS Community
Thanks for jumping in Jerome.

I have the situation where I have OAuth secured resources behind a Zuul edge gateway. The gateway is secured by CAS (OAuth & CAS). I now need a CAS secured application to be able to talk to an OAUth resource server behind the gateway.

So far, the external application authenticates successfully and retrieves it's proxy ticket ready to talk to the resource server. In theory, I could also secure the resource server with CAS to accept the proxy ticket, but this is just duplicating the work. The application is already authenticated with the gateway and has been able to get a proxy ticket for the resource server. It seems that I should be able to just 'pass the authentication' on.

Would JWT be a solution if conversion to an OAuth token is not a good idea?

Jérôme LELEU

unread,
Nov 16, 2016, 5:59:53 AM11/16/16
to CAS Community
Hi,

You may change your CAS-secured application into an OAuth-secured application to directly retrieved an access token, but in any case, you'll need to check this access token via the CAS server from the OAuth resource server.
So indeed, using JWT is a way to pass identity from one app to the other, without requiring a third-party to validate the identity.

Best regards,
Jérôme


--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/50bd7ae6-1ea3-484a-930e-d9c359ac9c88%40apereo.org.

Lewis Henderson

unread,
Nov 16, 2016, 8:55:00 AM11/16/16
to cas-...@apereo.org
Jerome,

The CAS secured application is from a third party that I cannot modify.

On the JWT front, I like the idea of this behind the gateway. I understand from the website that CAS JWT support is 'read only' in that it does not generate JWTs. Is generation on the roadmap?

Are there any examples of JWT in action that I can reference?


Cheers

Lewis Henderson
 
Director
CobraFlow Limited

M:0788 7788 436
Skype:CobraFlow
 

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyAZ%2B5z8YjviDrAOE5D-rFg-5%3DEeGzXT5UAuYA7D%3D4-_A%40mail.gmail.com.

Misagh Moayyed

unread,
Nov 16, 2016, 10:10:25 AM11/16/16
to cas-...@apereo.org

There have been several requests on this, so I think it’s safe to say that JWT generation can of course be on the roadmap, provided you file an issue, make the request and explain the use case in as much detail as possible. If you are also able and willing to participate in the feature development/testing, that would also be a major plus for “roadmap” items to be accepted and released.  

 

--Misagh

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Lewis Henderson
Sent: Wednesday, November 16, 2016 4:29 AM
To: cas-...@apereo.org
Subject: Re: [cas-user] Re: CAS and OAuth interoperability

 

Jerome,

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Reply all
Reply to author
Forward
0 new messages