Skip to content
Node.js module with CAS strategy for Passport.
JavaScript Shell
Branch: master
Clone or download
Pull request Compare This branch is even with KTH:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Cas authentication strategy for Passport based but modified from

Migrating from <= 2.x to 3.x

We are now whitelisting the redirect url (nextUrl param) to only allow relative paths actually owned by the application. When upgrading you need to provide these in the initialising of this package.

Add proxyPrefixPath to route handler-init (normally in server.js):

  casLoginUri: config.proxyPrefixPath.uri + '/login',
  casGatewayUri: config.proxyPrefixPath.uri + '/loginGateway',
  proxyPrefixPath: config.proxyPrefixPath.uri, // <-------------- here
  server: server

Also add proxyPrefixPath to redirect (normally in authentication.js):

  ldapConfig: config.ldap,
  ldapClient: ldapClient,
  proxyPrefixPath: config.proxyPrefixPath.uri, // <-------------- here
  unpackLdapUser: function (ldapUser, pgtIou) {
    return {
      username: ldapUser.ugUsername,
      displayName: ldapUser.displayName,
      email: ldapUser.mail,
      pgtIou: pgtIou,
      // This is where you can set custom roles
      isAdmin: hasGroup(config.auth.adminGroup, ldapUser),
      isSupport: hasGroup(config.auth.supportGroup, ldapUser),
      isSchema: hasGroup(config.auth.schemaGroup, ldapUser)



Passport style authentication strategy implemented for login through KTH CAS.


const passport = require('passport')
const Strategy = require('kth-node-passport-cas').Strategy
const log = require('kth-node-log')

const casOptions = {
  ssoBaseURL: '',
  serverBaseURL: '',
  log: log

const strategy = new Strategy(casOptions,
  function (logOnResult, done) {
    return done(null, logOnResult.user, logOnResult)



Passport style authentication strategy implemented to check if user is logged in through KTH CAS.

const passport = require('passport')
const GatewayStrategy = require('kth-node-passport-cas').GatewayStrategy
const log = require('kth-node-log')

passport.use(new GatewayStrategy({
  casUrl: ''
}, function (result, done) {
  done(null, result.user, result)


Get a proxy ticket from CAS-service. Returns a promise.

Call signature:

const getProxyTicket = require('kth-node-passport-cas').getProxyTicket

getProxyTicket (casService, pgtId, targetService)
  .then((ticket) => {
    // do something...
  .catch((err) => {
    // do something...

Express Route Handlers

Express route handlers used for KTH CAS authentication.

const ldapConfig = { ... } // Object structure can be found in kth-node-configuration
const COOKIE_TIMEOUT = 5 // in seconds. The cookie timeout determines how long a user is considered "anonymous"

const ldap = require('kth-node-ldap')
const ldapClient =  ldap.createClient({
  url: ldapConfig.uri,
  timeout: ldapConfig.timeout,
  connectTimeout: ldapConfig.connecttimeout,
  maxConnections: ldapConfig.maxconnections,
  bindDN: ldapConfig.username,
  bindCredentials: ldapConfig.password,
  checkInterval: ldapConfig.checkinterval,
  maxIdleTime: ldapConfig.maxidletime,
  reconnect: true

const server = require('kth-node-server')
const passport = require('passport')

// Don't forget to register the strategies here (Strategy and GatewayStrategy shown above)


const { authLoginHandler, authCheckHandler, logoutHandler, pgtCallbackHandler, serverLogin, getServerGatewayLogin } = require('kth-node-passport-cas').routeHandlers({
  adminGroup: 'group_name', // LDAP admin group for this app
  casLoginUri: '/app/mountpoint/login',
  casGatewayUri: '/app/mountpoint/loginGateway',
  cookieTimeout: COOKIE_TIMEOUT,
  ldapConfig: ldapConfig,
  ldapClient: ldapClient,
  server: server
appRoute.get('cas.login', '/app/mountpoint/login', authLoginHandler)
appRoute.get('cas.gateway', '/app/mountpoint/loginGateway', authCheckHandler)
appRoute.get('cas.logout', '/app/mountpoint/logout', logoutHandler)
// Optional pgtCallback
appRoute.get('cas.pgtCallback', '/app/mountpoint/pgtCallback', pgtCallbackHandler)

// Make sure user is logged in and send to login page if not
server.get('/app/mountpoint', serverLogin, function (req, res) { ... })

// Make sure user is logged in and fail request if not
server.get('/app/mountpoint/gateway', getServerGatewayLogin('/'), function (req, res) { ... })
You can’t perform that action at this time.