Accessing Rails API using a single access token via CAS

[Phil Ostler]

I'm currently designing and prototyping the architecture for a web application that comprises of three parts, a Restful API (JSON, XML) interface served from a Rails app, a Backbone.js application being supported by a second Rails app, and an Android application that accesses data via the API.

Whereas the usual process of authenticating the user (redirecting to the login page) will work for the Backbone.js application, I want to use a single access token from the Android application to authenticate the user. I can see how upon first use the Android app would require a username and password, passing back from the CAS server additional information that would contain the pre-generated single access token. What I can't work out is how I would pass the single access token along with a request from the client and have that authenticated against CAS without redirecting to a login page etc.

What I need to know is whether this possible with CAS or is there a method that is more the "CAS way" that I can use to achieve the same result?

I've experimented with Devise and the CAS plugin devise_cas_authenticatable but this appears to be broken with the latest version of Devise. Ideally I want to use sorcery with my own implementation of single access token generation, all hooked up to CAS. I'm very new to CAS and what it can do so I'm trying to sound out what's possible first and then I'll contribute back to rubycas-client and sorcery if any new development is required that I'm able to code up.

Thanks in advance

[Matt Zukowski]

You might be able to do it via proxy ticketing. This is a more advanced aspect of the CAS protocol whereby your Android application (or any other third party) would be given the right to request service tickets on behalf of the user.

There's an explanation here: http://www.jasig.org/cas/proxy-authentication

CAS proxy ticketing might be a bit tough to get one's head around at first... this walkthrough might also be helpful: http://www.jasig.org/cas/proxy-authentication

RubyCAS-Server supports CAS proxying, but you will probably have to set up an additional mini-server to handle the proxy callback part. Basically this means creating a blank Rails application to run this controller: https://github.com/rubycas/rubycas-client/blob/master/lib/casclient/frameworks/rails/cas_proxy_callback_controller.rb

You might also be able to run that from within your main Rails app, but you will probably have to enable asynchronous request processing, otherwise you end up with deadlocks. (I personally haven't tried this since Rails 2.x so the situation may have changed).

[Matt Campbell]

Phil, as Matt Z suggests, proxy ticketing is the way to go. Yu don't need a separate app for that, you just need to ensure your app can service multiple requests concurrently. Unicorn and Passenger (an pow if you are developing on OSX) all done this and are all easy to use.

One important thing to note about proxy ticketing is that it is expensive. If you do a new proxy ticket for each api request, you actually get a total of 3 requests instead of 1. To get around this, you could use the proxy ticketing mechanism to establish a secure token for the android app. This is what you do with a browser. In that case the CAS login is used to establish you session and the secure token is your session cookie.

I have no knowledge of sorcery, so I can't comment on how it fits in at this time. I'll see if I can take a look tomorrow or this weekend.

Matt

Sent from my mobile device

--
You received this message because you are subscribed to the Google Groups "RubyCAS" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubycas-server/-/-HMNQNucheAJ.
To post to this group, send email to rubycas...@googlegroups.com.
To unsubscribe from this group, send email to rubycas-serve...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubycas-server?hl=en.

[Phil Ostler]

Thank you both your replies. I'll take a look into proxy ticketing, try and get my head around it and see if it fits well into my proposed design.

Phil