Connect middleware for node CAS client
Clone or download
Jason Templeton
Jason Templeton 1.8.1
Latest commit 1d87a5e Jan 24, 2018
Failed to load latest commit information.
example Example app with CAS-authenticated login, display of the CAS username… May 18, 2014
.travis.yml Added travis.yml Oct 7, 2015
LICENSE Update LICENSE Aug 7, 2013 Merge pull request #29 from boutell/master Feb 11, 2016
index.js fixing tests, forgot -> req.session.user is a breaki… Feb 4, 2014

Build Status

Connect CAS

Connect cas is a connect-based middleware that allows you to authenticate through a CAS 2.0+ server. It supports the gateway auth, single sign-out, and proxying other CAS clients.

Adapted from


npm install connect-cas


Many of these options are borrowed from node's url documentation. You may set global options through the .configure() method or override them with any of the exposed middleware.

  • procotol The protocol to communicate with the CAS Server. Defaults to 'https'.
  • host CAS server hostname
  • port CAS server port number. Defaults to 443.
  • gateway Send all validation requests through the CAS gateway feature. Defaults to false.
  • paths
    • serviceValidate Path to validate TGT
    • proxyValidate Path to validate PGT (not implemented)
    • proxy Path to obtain a proxy ticket
    • login Path to the CAS login


var cas = require('connect-cas');
var connect = require('connect');

  .use(connect.cookieParser('hello world'))
  .use(connect.cookieSession()) // or whatever session store

Complete Example

A more complete example of a simple Express app that uses CAS for login, displays the CAS username, and offers a logout link can be found in the example folder. You'll need to copy example/app.js to your own folder and install its dependencies:

npm install express
npm install connect-cas

Express is required only for the example app. It is not required for connect-cas.

Proxy Tickets

To proxy services, you can configure the serviceValidate middleware like below:

  .use(cas.serviceValidate({pgtUrl: '/pgtCallback'}))
  .use(cas.proxyTicket({targetService: 'https://service-to-proxy/blah'});

The proxy granting ticket value will be available in req.session.pgt and a hash of proxy tickets are available in You may then append that proxy ticket manually to the services you wish to proxy. To reuse the proxy tickets, see #25.

You may also pass in an absolute url if you wish for the pgtCallback to be in a separate app. If so, pass in an additional pgtFn:

.use(cas.serviceValidate({pgtUrl: '', pgtFn:function(pgtIou, cb){
  // given the pgtIou, retrieve the pgtId however you can.  Then call ...
  cb(err, 'PGT-thepgtid');


  • If you are behind an https proxy, be sure to set X-Forwarded-Proto headers. Connect-cas uses it to infer its own location for redirection.