Support CAS protocol v3: new user attributes

[leleuj]

Hi,

Since the CAS server version 4.0.0 which implements the CAS protocol v3, there are new endpoints : /p3/serviceValidate and /p3/proxyValidate which return user attributes in addition to the user name (XML format). Example:

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
    <cas:authenticationSuccess>
        <cas:user>jleleu</cas:user>
        <cas:attributes>
            <cas:firstname>Jerome</cas:firstname>
            <cas:lastname>LELEU</cas:lastname>
        </cas:attributes>
    </cas:authenticationSuccess>
</cas:serviceResponse>

It doesn't seem to be supported by this CAS client.
I tried using the following settings to get the new XML response:

LOGIN_URL = "https://myserver/cas/login"
CAS_SERVER_URL = "https://myserver/cas/p3/"

but it doesn't work: I'm stuck on my login page with: https://myserver/cas/login?next=http%3A//localhost%3A8000/protected/index instead of https://myserver/cas/login?service=http%3A//localhost%3A8000/protected/index.

Am I missing something on this problem?

Do you plan to support CAS protocol v3?

Thanks.

[dstegelman]

Hi,

Yes we do not yet support v3 of CAS specifically. I'm not sure on what timeline we'd be moving forward on that. If you would like to open up issues or a PR to support it, please do.

[leleuj]

I know very well CAS, but not that much Python. That said, it should not be too complicated to get all attributes from the XML response if CAS_VERSION is set to 3. Where should these attributes be stored? In the djando user model even if I'm not sure what it is? In session?

[dstegelman]

This library doesn't handle storing those actual attributes, you can use a custom proxyCallback in order to get those and do what you want them, but this library doesn't handle the actual storage.

Django-CAS handles the authentication bits and all the necessary redirects, anything beyond that is typically handed by other apps within a user's project.

[leleuj]

So the idea would be to also pass the user attributes to the callbackfunction method so that django-cas users can choose what to do with the user attributes?

[dstegelman]

That could work. Currently you define a callback in your project:

CAS_RESPONSE_CALLBACKS = (
    my_project.cas_callbacks.store_tickets',
)

Then in that method (which accepts an XML tree) you can strip out what you need and do whatever you want with it.

def store_tickets(tree):
    username = tree[0][0].text

    user, user_created = User.objects.get_or_create(username=username)
    user_profile, created = UserProfile.objects.get_or_create(user=user)

    return username

I'm sorry I can't be more helpful with regard to V3, we just aren't there yet so we haven't updated it. If you have specific documentation on how we should implement that client, feel free to pass that along and I can get it scheduled.

[leleuj]

I haven't been able to find a better doc than the original JIRA: https://issues.jasig.org/browse/CAS-1283.

Using the new /p3/serviceValidate and /p3/proxyValidate url, in the XML payload, you have a new <cas:attributes> tag which is a sibling of <cas:user>.
Under this new tag,

• for a single value attribute, you have: <cas:key>value</cas:key>
• for a multi-values attribute, you have:

<cas:key>value1</cas:key>
<cas:key>value2</cas:key>
...
<cas:key>valueN</cas:key>

Is it clear enough?

[dstegelman]

Yes, thank you.

[leleuj]

I finally found back the protocol spec: http://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html#head2.5

[dstegelman]

Thanks

[leleuj]

New PR: #35