Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple CAS doesn't seems to be supported #279

Closed
MontyBs opened this issue Feb 27, 2023 · 3 comments
Closed

Multiple CAS doesn't seems to be supported #279

MontyBs opened this issue Feb 27, 2023 · 3 comments
Labels
question

Comments

@MontyBs
Copy link

MontyBs commented Feb 27, 2023
edited
Loading

Hello,

I have an IdentityServer 4 application that must support multiple CAS configurations.
In order to do that, I iterate through my cas configuration and add a builder for each one of them:

public static AuthenticationBuilder AddCasAuth(this AuthenticationBuilder builder, CasSetting casSetting)
{
   // Scheme must be the company identifier
   builder.AddCAS(casSetting.Scheme, casSetting.DisplayName, options =>
   {
      options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
      options.ServiceTicketValidator = new Cas20ServiceTicketValidator(options);
      options.CasServerUrlBase = casSetting.BaseUrl;
      // required for Cas SingleLogout
      options.SaveTokens = true;

      options.Events = new CasEvents
      {
         OnCreatingTicket = context =>
         {
            // ... Handle the recieved claims ...
            return Task.CompletedTask;
         },
         OnRemoteFailure = context =>
         {
            // ... Handle the errors ... 
            return Task.CompletedTask;
         }
      };
   });

   return builder;
}

It works fine for the first element of my collection, but for the ones after, I have the following error after logging in the CAS server: State invalid or missing.
When I look at the context in the OnRemoteFailure, I find the configuration of the first element of my collection but the CAS login page matches the right element of the collection.

For example:

"CasSettings": [
   {
      "Scheme": "Scheme 1",
      "DisplayName": "First CAS",
      "BaseUrl": "https://domain1/cas"
   },
   {
      "Scheme": "Scheme 2",
      "DisplayName": "Second CAS",
      "BaseUrl": "https://domain2/cas"
   }
]

If I try to log in with Scheme 2, I land on the login page on https://domain2/cas, when I validate the form, I am redirected to my error page and the context of OnRemoteFailure has the Scheme 1 configuration. (hence the invalid state)

Is it supposed to be supported? Am I missing something here?

Thank you
@akunzai
Copy link
Owner

akunzai commented Feb 28, 2023

Hi @MontyBs,

Please specifiy different CallbackPath instead the default path /signin-cas.

builder.AddCAS("CAS2","CAS2",options =>
{
    options.CallbackPath = "/signin-cas2";
    options.CasServerUrlBase = builder.Configuration["Authentication:CAS2:ServerUrlBase"];
    options.SaveTokens = builder.Configuration.GetValue("Authentication:CAS2:SaveTokens", false);
    options.Events.OnCreatingTicket = context =>
    {
       // ... Handle the recieved claims ...
        return Task.CompletedTask;
    };
    options.Events.OnRemoteFailure = context =>
    {
        // ... Handle the errors ... 
        return Task.CompletedTask;
    }
})

@MontyBs
Copy link
Author

MontyBs commented Feb 28, 2023

Thank you for your response, it solved my problem.
So each cas configuration must have a unique CallbackPath that defines which configuration is to be used when the callback is received?

@akunzai
Copy link
Owner

akunzai commented Feb 28, 2023

Yes, Any ASP.NET auth schemes needs a unique CallbackPath.

@akunzai akunzai closed this as completed Feb 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akunzai @MontyBs