CAS 5.3.x - TGT as JWT on REST Protocol

[K Devops]

Hi, I've configured CAS to return TGT as JWT adding the dependency on the maven overlay:

<dependency>

<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-rest-tokens</artifactId>
<version>${cas.version}</version>
</dependency>

Info:

https://apereo.github.io/cas/5.3.x/protocol/REST-Protocol.html#jwt-ticket-granting-tickets

I've configured CAS to return a JWT Signed with HS512.

ST granting works fine (with standard TGT).

Every time I try to get a TGT in JWT with the following REST call:

POST /cas/v1/tickets HTTP/1.0

username=battags&password=password&token=true&additionalParam1=paramvalue

I receive this error:

Unauthorized Service Access. Service [] is not found in service registry.

If I omit or set the token param to "false", the standard TGT is granted correctly.

What's wrong with that?

Thank you very much

Bye

K

[Ray S]

Hi there,

Did you manage to fix the issue?

I got the same error with CAS 5.3.12. I tried to request JWT service tickets in version 6.0.5, and 6.1.0-RC4 as well, and got the exact same error.

Thanks

Ray

[Cemal Önder]

I get same error too and when I debug the application, I see that problem happens because when we request JWT following code works:

val registeredService = payload.getRegisteredService() == null
 ? locateRegisteredService(serviceAudience)
 : payload.getRegisteredService();
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);

which calls locateRegisteredService with serviceAudience -> as your cas instance (http://localhost:8080/cas). And that is not registered as a service in my case, than

RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService); throws the exception. My question is, should we than inject our cas instance as a service too? Because inside the DefaultServicesManager class, orderedServices 

has http://localhost:8095/bouncer/oauth2.0/callbackAuthorize.* which makes me thing like should not there be a service also for CAS protocol too?

[Francisco Castel-Branco]

You probably should configure the host that is making the POST request as a CAS authorized service

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8d49ac0b-62c2-49a1-9226-bad6b34571e1%40apereo.org.

--

Francisco Castel-Branco

[Cemal Önder]

Core dev Misagh Moayyed mentioned that this is a bug: https://stackoverflow.com/questions/59368162/cas-rest-protocol-does-not-work-without-generic-service-definition/

So a solution is to register your CAS instance(s) as a service until the bug is resolved. (In case you don't use generic service regex which was in my case, so CAS instance was not matching as registered service, which was throwing exception)

[Appify]

What do you mean by service definition as CAS prefix?

On Fri, 20 Dec 2019, 2:46 pm Cemal Önder, <cemal.on...@gmail.com> wrote:

Core dev Misagh Moayyed mentioned that this is a bug: https://stackoverflow.com/questions/59368162/cas-rest-protocol-does-not-work-without-generic-service-definition/

So a solution is to register your CAS instance(s) as a service until the bug is resolved. (In case you don't use generic service regex which was in my case, so CAS instance was not matching as registered service, which was throwing exception)

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/368495d1-bc93-4283-a3f1-75f9013e6837%40apereo.org.