OAuth protocol: Access Token referencing expired TGT
71 views
Skip to first unread message
Nathan Cailbourdin
May 24, 2024, 10:54:09 AMMay 24
to CAS Community
Hello everyone,
We are developing a mobile application that uses CAS to connect to all of our services. To maintain the CAS connection, we use the OAuth protocol and retrieve an RT, AT, and TGT during the initial login.
If needed, the connection can then be renewed using the RT, which allows us to obtain a new AT. On the other hand, we use the TGT to authenticate across all of our services, which are already configured to work with the CAS server via the CAS protocol (and not the OAuth protocol).
Thus, in our mobile application, we use webviews and pass the TGT as a cookie to the webview to access our services once logged in (which works correctly).
However, we encounter a problem during the AT renewal. When we renew it, we do get a new AT, but it refers to the initial TGT (the one from the first login). However, after a certain amount of time this TGT is no longer valid according to its expiration policy.
We find CAS’s behavior in this regard to be strange: when the TGT is expired, it is removed from the ticket registry, but when the AT is renewed, the TGT (even if expired) is stored back in the ticket registry, even though it is invalid.
Thus, if we use the TGT, it is detected as invalid and is removed from the ticket registry, but the AT still refers to it.
Is this behavior normal and expected? What do you recommend for persistent authentication on a mobile application? We found the OAuth protocol to be suitable, but maybe there is a better approach. We are using CAS 7.0.4.
Thank you in advance for your assistance.
Best regards
We are developing a mobile application that uses CAS to connect to all of our services. To maintain the CAS connection, we use the OAuth protocol and retrieve an RT, AT, and TGT during the initial login.
If needed, the connection can then be renewed using the RT, which allows us to obtain a new AT. On the other hand, we use the TGT to authenticate across all of our services, which are already configured to work with the CAS server via the CAS protocol (and not the OAuth protocol).
Thus, in our mobile application, we use webviews and pass the TGT as a cookie to the webview to access our services once logged in (which works correctly).
However, we encounter a problem during the AT renewal. When we renew it, we do get a new AT, but it refers to the initial TGT (the one from the first login). However, after a certain amount of time this TGT is no longer valid according to its expiration policy.
We find CAS’s behavior in this regard to be strange: when the TGT is expired, it is removed from the ticket registry, but when the AT is renewed, the TGT (even if expired) is stored back in the ticket registry, even though it is invalid.
Thus, if we use the TGT, it is detected as invalid and is removed from the ticket registry, but the AT still refers to it.
Is this behavior normal and expected? What do you recommend for persistent authentication on a mobile application? We found the OAuth protocol to be suitable, but maybe there is a better approach. We are using CAS 7.0.4.
Thank you in advance for your assistance.
Best regards
Reply all
Reply to author
Forward
0 new messages