Proxy validation callback check using OPTIONS instead of GET

[Pol Dellaiera]

Hi all,

This is my first message here, hopefully not the last. I'm not a Java developper, I'm mostly code in PHP (@drupol on Github)

Recently, I've been asked to develop a standard PHP library for CAS authentication(work in progress) and in order to do it, I had to learn how the CAS protocol is working.

When developing the proxy callback I noticed that the CAS server is doing a GET request to check if the proxy callback URL is properly working.

My question is the following

Don't you think that it would be more appropriate to check the existence of the proxy callback url using a request of type OPTIONS instead of GET ?

It would be easier to identify on the client side and ... why not use the proper request type when it exist ?

It would also remove the discrepancy when it comes to what is supposed to return the proxy callback url when it is called (there is currently no documentation about this yet)

Let me know what you think.

Regards.

[Pol Dellaiera]

I think we could even use a HEAD request, it would be even faster.

[Ray Bon]

Pol,

Before you get too far into your library, have you seen, https://github.com/apereo/phpCAS

The proxy callback url should be used only for this purpose. CAS only responds to the 200 returned, so maybe a simpler request could work. However, if one had a home grown web server (or one built into the application), only GET and POST would need to be implemented, thus expanding the usefulness of CAS.

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Pol Dellaiera]

Hi Ray,

Thanks for the explanation, it's clear and fair enough.

Regarding the existing phpCAS library we evaluated it already and we would like something simpler, fully tested and unopinionated, this is why I started PSR CAS.

I don't say that phpCAS is bad, far from that, I just say that we would like something smaller, that just do what it's supposed to do, authentication without touching the session or handling the cache.

PSR CAS only uses PSR Interfaces and can be used by any framework without too much effort.

It's a huge work in progress and as I just succeeded to get a local instance of a CAS server running locally thanks to this tool (with proxy authentication ! yeah!) I will continue the development actively.