Why phpCAS client gets a </head> tag in XML response?

[Agustín Ezequiel Pereyra]

Hello,

I don't know if this problem belongs to this group, or to the phpCAS GitHub. If you consider I should post an issue in the GitHub repo of the phpCAS tool, please tell me.

I have a basic CAS 6.4.2 server running under the URL https://mycas.com. I also have a basic php client that I'm trying to connect to it using CAS 3 protocol. This php app uses the phpCAS official client (https://github.com/apereo/phpCAS), version 1.4.0.

I can use this Apereo CAS instance to secure connections to other NodeJS apps, but when I try to connect to the php app, it fails while trying to verify the Service Ticket. Note that the verification fails while trying to verify the ticket, not before. It correctly receives the ST when the user is verified against Apereo CAS.

The error message that the php app logs is:

```
PHP Warning: DOMDocument::loadXML(): Extra content at the end of the document in Entity, line: 1 in /usr/local/src/php-cas-client-example/composer-example/vendor/jasig/phpcas/source/CAS/Client.php on line 3426 

Ticket not validated 

Reason: bad response from the CAS server CAS response: 

 <head/><cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> 

     <cas:user>XXX</cas:user> 

     <cas:attributes> 

         <cas:clientIpAddress>XXX</cas:clientIpAddress>   

        <cas:isFromNewLogin>false</cas:isFromNewLogin> 

        <cas:authenticationDate>2021-11-29T13:53:40.699600Z</cas:authenticationDate>           <cas:successfulAuthenticationHandlers>

                       RestAuthenticationHandler

        </cas:successfulAuthenticationHandlers> 

        <cas:userAgent>XXX</cas:userAgent> 

        <cas:credentialType>

             UsernamePasswordCredential

         </cas:cre 

in /usr/local/src/php-cas-client-example/composer-example/vendor/jasig/phpcas/source/CAS/Client.php on line 3428

```

From that error, and the warning that comes before (in the first line of the logs), I understand that the problem is with the </head> tag, that turns the xml into a malformed response. What seems weird to me is that this closing tag doesn't seem to appear when I access the NodeJS app that is authenticated by the same Apereo CAS instance (using also the version 3 of the CAS protocol).

I also filtered the responses that CAS sent to both the NodeJS app (that works) and the php app (that doesn't), using tcpdump. Both look the same, so Apereo CAS isn't changing the way it answers the apps (not like I expected that, just to confirm that the problem seems to be on the phpCAS <-> Apereo CAS interaction).

What I have tried to troubleshoot the problem: 

• Changing the CAS protocol version from 3 to 2 -> didn't solve anything
• Using older versions of the phpClient (1.3.5 and 1.3.8 specifically)  -> didn't solve anything
• Modifying the attributes that Apereo CAS should send to the php app (through the JSON used in the service registry)  -> didn't solve anything
• Using an older version of Apereo CAS (5.2.x). -> This one actually seems to work, but I can't find why. And using a version of Apereo CAS that is that old is not an option

What I ask then

How can I solve my problem of the phpCAS client receiving that </head> tag? Is it something about how I configured the Apereo CAS server, or the phpCAS client? Or something else?

Any help would be appreciated,