Skip to content

CAS authentication fails #162

Closed
holman opened this Issue Feb 2, 2011 · 6 comments

2 participants

@holman
holman commented Feb 2, 2011

I'm (still) upgrading to beta2, and while LDAP is looking good, CAS is erroring out. From Jasig's CAS server:

2011-02-01 18:16:37,477 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: test]
2011-02-01 18:16:37,477 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-11-20NcRofqRoKekacRnbK3-cas] for service [http://[hostname]/auth/cas/callback] for user [test]
2011-02-01 18:16:37,487 ERROR [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-11-20NcRofqRoKekacRnbK3-cas] with service [http://[hostname]/auth/cas/callback does not match supplied service [http://[hostname]/auth/cas/callback?ticket=ST-11-20NcRofqRoKekacRnbK3-cas]

So apparently there's a validation between service URLs. CAS did work for me previously without issue, and while I haven't touched anything CAS-related, there haven't been many OmniAuth changes either, which is strange.

If I strip out this line in CAS::Configuration#service_validate_url and instead just return url, that seems to fix Jasig:

2011-02-01 18:26:14,219 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: test]
2011-02-01 18:26:14,220 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-12-cdAMO5kHhOlP0dPpAFgh-cas] for service [http://[hostname]/auth/cas/callback] for user [test]

...but OmniAuth's callback still redirects it to /auth/failure:

127.0.0.1 - - [01/Feb/2011 18:26:14] "GET /auth/cas/callback?ticket=ST-12-cdAMO5kHhOlP0dPpAFgh-cas HTTP/1.0" 302 - 0.0350
127.0.0.1 - - [01/Feb/2011 18:26:15] "GET /auth/failure?message= HTTP/1.0" 200 19910 1.5880

Happen to have run into this at all before? I'm pretty puzzled here.

@holman
holman commented Feb 3, 2011

For what it's worth, I tried this from the barebones Sinatra example on the wiki (my changes are here). This was on the latest (3.4.5) Jasig's CAS server — and 3.3.5 for good measure — and it still generates the same error:

2011-02-02 16:01:36,429 ERROR [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-1-2OrmetoVyLFtzDWlkz1A-cas] with service [http://localhost:4567/auth/cas/callback does not match supplied service [http://localhost:4567/auth/cas/callback?ticket=ST-1-2OrmetoVyLFtzDWlkz1A-cas]

That's about as barebones and standardized as I can get; it certainly seems like CAS is broken on beta2 right now.

@holman
holman commented Feb 12, 2011

Aha. Finally traced the cause.

module OmniAuth
  module Strategy
    def callback_url
      full_host + callback_path #+ query_string
    end
  end
end

The addition of query_string to callback_url looks like it causes all of the issues with CAS. Commenting it out "fixes" CAS, although that's not not preferable for, you know, all of the other strategies, I'm sure.

@jamesarosen

I'm working on this, but I'm having a really hard time getting that Sinatra app to run. I keep getting undefined methodto_i' for #OmniAuth::Builder:0x1023f1e90`.

@jamesarosen

Strike that. It's a Sinatra .rb file, not a Rack .ru file.

@jamesarosen

I've figured it out; I just haven't figured out how to write the test.

@jamesarosen

Resolved in 31cb192

@sergioazevedo sergioazevedo pushed a commit to intelie/omniauth that referenced this issue Jun 8, 2011
James A. Rosen CAS: strip ticket from service URL [#162] 31cb192
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.