Rest API Service Ticket Validation Issue

[John Stevens II]

Need some insight on how to properly use the Rest API.

I have a simple php application below castest.php:

<?php

require_once '/var/www/sites/CAS-1.3.4/CAS.php';

phpCAS::setDebug();

// Enable verbose error messages. Disable in production!

phpCAS::setVerbose(true);

// Initialize phpCAS

phpCAS::client(CAS_VERSION_2_0, 'access.example.com', 443, '/cas');

phpCAS::setNoCasServerValidation();

// force CAS authentication

phpCAS::forceAuthentication();

echo "It worked";

?>

Visiting the php page in the browser works with no problem, I'm able to authenticate and access the content with no problem.

I can post to my post server rest url to get my TGT: 

Posting form data:

username=Randomuser&password=Randompassword

To:

https://access.example.com/cas/v1/tickets

Data (TGT) returned is:

https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com

Now I take my TGT url and post my service to get my ST:

Posting form data:

service=http%3A%2F%2Ftest.example.com%2Fcastest.php

To:

https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com

Data (ST) returned is:

0000: 53 54 2D 32  31 2D 79 47  59 69 57 6E  63 45 62 65  | ST-21-yGYiWncEbe |

0010: 70 78 78 71  33 4B 6E 78  4F 52 2D 63  61 73 32 2E  | pxxq3KnxOR-cas2. |

0020: 69 6E 6D 61  72 2E 63 6F  6D                        | example.com      |

All is good so far, I have my TGT and ST now I should be able to access my castest.php site so I do a get request on this url with my ticket as a parameter:

Get:

http://test.example.com/castest.php?ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com

Error is returned:

<html><head><title>CAS Authentication failed!</title></head><body><h1>CAS Authentication failed!</h1><p>You were not authenticated.</p><p>You may submit your request again by clicking <a href="http://test.example.com/castest.php">here</a>.</p><p>If the problem persists, you may contact <a href="mailto:root@localhost">the administrator of this site</a>.</p><hr><address>phpCAS 1.3.4 using server <a href="https://access.example.com/cas/">https://access.example.com/cas/</a> (CAS 2.0)</a></address></body></html><br />

<b>Fatal error</b>:  Uncaught exception 'CAS_AuthenticationException' in /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php:3234

Stack trace:

#0 /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php(1419): CAS_Client-&gt;validateCAS20('https://access....', '\n\n&lt;cas:serviceR...', Object(DOMElement), false)

#1 /var/www/sites/vmbuild/CAS-1.3.4/CAS.php(1127): CAS_Client-&gt;isAuthenticated()

#2 /var/www/sites/vmbuild/castest.php(21): phpCAS::isAuthenticated()

#3 {main}

  thrown in <b>/var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php</b> on line <b>3234</b><br />

Other things i've tried were to use the validation url to validate the ticket that way but it says the ticket is not reconigzed:

Get or Post:

https://access.example.com/cas/serviceValidate?service=http%3A%2F%2Ftest.example.com%2Fcastest.php&ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com

Returned:

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">

<cas:authenticationFailure code="INVALID_TICKET">

Ticket 'ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com' not recognized

</cas:authenticationFailure>

</cas:serviceResponse>

Just need to validate service tickets with/for the REST API any help would be appreciated.

[Dmitriy Kopylenko]

By the time the /serviceValidate with ST is called, the ST lifetime has expired (10 seconds default). Increase the ST TTL on the CAS server to something longer, but reasonable and see if it helps.

Best,

D.

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Ray Bon]

Are you typing the requests (copy/paste)? If so, you may need to increase the ticket expiration. ST expire in 10 seconds by default. Try 30 seconds.

See: bean id="serviceTicketExpirationPolicy"

Ray

[John Stevens II]

Ok that may work, is that the recommended way to verify service tickets for the Rest API (Without using the php client) or should I not be relying on the actual client?

<html><head><title>CAS Authentication failed!</title></head><body><h1>CAS Authentication failed!</h1><p>You were not authenticated.</p><p>You may submit your request again by clicking <a href="http://test.example.com/castest.php">here</a>.</p><p>If the problem persists, you may contact <a href="mailto:ro...@localhost">the administrator of this site</a>.</p><hr><address>phpCAS 1.3.4 using server <a href="https://access.example.com/cas/">https://access.example.com/cas/</a> (CAS 2.0)</a></address></body></html><br />

<b>Fatal error</b>:  Uncaught exception 'CAS_AuthenticationException' in /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php:3234

Stack trace:

#0 /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php(1419): CAS_Client-&gt;validateCAS20('https://access....', '\n\n&lt;cas:serviceR...', Object(DOMElement), false)

#1 /var/www/sites/vmbuild/CAS-1.3.4/CAS.php(1127): CAS_Client-&gt;isAuthenticated()

#2 /var/www/sites/vmbuild/castest.php(21): phpCAS::isAuthenticated()

#3 {main}

  thrown in <b>/var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php</b> on line <b>3234</b><br />

Other things i've tried were to use the validation url to validate the ticket that way but it says the ticket is not reconigzed:

Get or Post:

https://access.example.com/cas/serviceValidate?service=http%3A%2F%2Ftest.example.com%2Fcastest.php&ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com

Returned:

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">

<cas:authenticationFailure code="INVALID_TICKET">

Ticket 'ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com' not recognized

</cas:authenticationFailure>

</cas:serviceResponse>

Just need to validate service tickets with/for the REST API any help would be appreciated.

[Misagh Moayyed]

/serviceValidate.

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org.

[John Stevens II]

Thank you, I've increased the service ticket timeout value and was able to validate a ticket via /serviceValidate but I can only validate the ticket once.

If I am using the CAS Rest API to authenticate API's that we develop I would want to verify that the service ticket is valid on every call to our API's. How do I achieve this or is there another recommended way to achieve this? 

I see the option st.numOfUses for service tickets but not sure if unlimited is a valid option or if it's even recommended.

[Ray Bon]

A ST is (should be) validated only once and for only one service. Each service will go through the CAS dance passing in the TGT and service URL to receive its own ST.
If a third application needs to authenticate to your API, look at proxying, https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html

Ray

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6019fd5b-6795-400e-9bc4-fbd4486f12e6%40apereo.org.

[John Stevens II]

Well not necessarily a third application, all I really want to accomplish here is to be able to authenticate a user via CAS rest api (which I can), be a able validate that user via CAS rest api multiple times (which I can't) and be able to log the user out via CAS rest api (which I can).

Is proxying necessary for this functionality?

[Misagh Moayyed]

Why multiple times? What's the story there?

--Misagh

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/318d0846-f1b6-4155-8d86-ded2013d2391%40apereo.org.

[John Stevens II]

My thinking is if I have developers who build API's and want to integrate CAS (not for sso but for centralized authentication) then a user who wants to use the developers API would authenticate with CAS via the CAS Rest API, possibly request an ST then use that ST to access the developers API on every call to the developers API. I say every call (multiple times) because you would need a way to verify that the user session is still valid right? Otherwise you would have to authenticate the user on every call to the developers API vs just verifying a ticket. Maybe i'm thinking about this the wrong way?

[Misagh Moayyed]

You’re thinking about this the right way; just not execution wise. You can have an ST be valid multiple times of course as this is controlled by its policy. However, what you’re really doing is treating an ST like an OAuth access token, which it isn’t….or it’s not meant to be. Your better options are to use proxying where you get a PGT, and you get PTs based on that PGT you get. (The PGT becomes your access token).

 

Or you just use the OAuth support...or some other form of non-interactive AuthN.

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0560d02-aa00-47e0-929c-430f117cde0a%40apereo.org.

[Dmitriy Kopylenko]

Just want to add on top what Misagh said - the REST support in CAS is very limited to producing just TGTs and STs. IMHO, for service-to-service “non human interactive” authentication support (REST services for example) some protocol other than CAS protocol is more appropriate e.g. OAuth (as Misagh mentioned it already).

Best,

D.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/005101d1cb03%24c738bda0%2455aa38e0%24%40unicon.net.

[John Stevens II]

Thank you for the breaking ti down further, it makes sense now.

[John Stevens II]

Thanks for the help Misagh, I'll try and implement the OAuth support. I appreciate the explanation, now it makes sense why I couldn't get things working the way I thought they should be.

[John Stevens II]

So I enabled oauth support but it looks like the user will be required to login via the GUI. 

I do see in the development branch (CAS OAuth Dev Link) for v5 that you can specify grant_type and use resource owner to return an access token.

Can this be done in v4? Would love to use this option.

[Misagh Moayyed]

It can be done. There are no plans to port this back, but if you’re willing to do the work that’s perfectly fine.

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff062091-e5fb-4c39-9bb9-f3c08c4830e7%40apereo.org.

[John Stevens II]

Misagh,

If the release date for version 5 is far off then I wouldn't mind doing the work, otherwise i'd wait. If so then a point in the right direction in respect to the changes that need to be made would be helpful.

Thanks

[Misagh Moayyed]

I don’t know what far off would be to you. See https://github.com/apereo/cas/milestones

 

Basically, examine how 5 works. Make sure it actually works! Then port back. It will probably be easier if you just started with 5 now and tested it. M2 is now available.

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/75332a10-7e0c-4878-84ec-98a877815389%40apereo.org.

[John Stevens II]

3 months isn't that long to wait. I want to get the system into production but not a potentially unstable version. I'll move forward with v4.2 and they'll just have to wait for v5 for the new oauth feature. 

Thanks again for all the help.