CAS authentication fails #162

Closed
holman opened this Issue Feb 2, 2011 · 6 comments

Comments

Projects
None yet
2 participants
@holman
Contributor

holman commented Feb 2, 2011

I'm (still) upgrading to beta2, and while LDAP is looking good, CAS is erroring out. From Jasig's CAS server:

2011-02-01 18:16:37,477 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: test]
2011-02-01 18:16:37,477 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-11-20NcRofqRoKekacRnbK3-cas] for service [http://[hostname]/auth/cas/callback] for user [test]
2011-02-01 18:16:37,487 ERROR [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-11-20NcRofqRoKekacRnbK3-cas] with service [http://[hostname]/auth/cas/callback does not match supplied service [http://[hostname]/auth/cas/callback?ticket=ST-11-20NcRofqRoKekacRnbK3-cas]

So apparently there's a validation between service URLs. CAS did work for me previously without issue, and while I haven't touched anything CAS-related, there haven't been many OmniAuth changes either, which is strange.

If I strip out this line in CAS::Configuration#service_validate_url and instead just return url, that seems to fix Jasig:

2011-02-01 18:26:14,219 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: test]
2011-02-01 18:26:14,220 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-12-cdAMO5kHhOlP0dPpAFgh-cas] for service [http://[hostname]/auth/cas/callback] for user [test]

...but OmniAuth's callback still redirects it to /auth/failure:

127.0.0.1 - - [01/Feb/2011 18:26:14] "GET /auth/cas/callback?ticket=ST-12-cdAMO5kHhOlP0dPpAFgh-cas HTTP/1.0" 302 - 0.0350
127.0.0.1 - - [01/Feb/2011 18:26:15] "GET /auth/failure?message= HTTP/1.0" 200 19910 1.5880

Happen to have run into this at all before? I'm pretty puzzled here.

@holman

This comment has been minimized.

Show comment
Hide comment
@holman

holman Feb 3, 2011

Contributor

For what it's worth, I tried this from the barebones Sinatra example on the wiki (my changes are here). This was on the latest (3.4.5) Jasig's CAS server — and 3.3.5 for good measure — and it still generates the same error:

2011-02-02 16:01:36,429 ERROR [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-1-2OrmetoVyLFtzDWlkz1A-cas] with service [http://localhost:4567/auth/cas/callback does not match supplied service [http://localhost:4567/auth/cas/callback?ticket=ST-1-2OrmetoVyLFtzDWlkz1A-cas]

That's about as barebones and standardized as I can get; it certainly seems like CAS is broken on beta2 right now.

Contributor

holman commented Feb 3, 2011

For what it's worth, I tried this from the barebones Sinatra example on the wiki (my changes are here). This was on the latest (3.4.5) Jasig's CAS server — and 3.3.5 for good measure — and it still generates the same error:

2011-02-02 16:01:36,429 ERROR [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-1-2OrmetoVyLFtzDWlkz1A-cas] with service [http://localhost:4567/auth/cas/callback does not match supplied service [http://localhost:4567/auth/cas/callback?ticket=ST-1-2OrmetoVyLFtzDWlkz1A-cas]

That's about as barebones and standardized as I can get; it certainly seems like CAS is broken on beta2 right now.

@holman

This comment has been minimized.

Show comment
Hide comment
@holman

holman Feb 12, 2011

Contributor

Aha. Finally traced the cause.

module OmniAuth
  module Strategy
    def callback_url
      full_host + callback_path #+ query_string
    end
  end
end

The addition of query_string to callback_url looks like it causes all of the issues with CAS. Commenting it out "fixes" CAS, although that's not not preferable for, you know, all of the other strategies, I'm sure.

Contributor

holman commented Feb 12, 2011

Aha. Finally traced the cause.

module OmniAuth
  module Strategy
    def callback_url
      full_host + callback_path #+ query_string
    end
  end
end

The addition of query_string to callback_url looks like it causes all of the issues with CAS. Commenting it out "fixes" CAS, although that's not not preferable for, you know, all of the other strategies, I'm sure.

@jamesarosen

This comment has been minimized.

Show comment
Hide comment
@jamesarosen

jamesarosen Feb 13, 2011

Contributor

I'm working on this, but I'm having a really hard time getting that Sinatra app to run. I keep getting undefined methodto_i' for #OmniAuth::Builder:0x1023f1e90`.

Contributor

jamesarosen commented Feb 13, 2011

I'm working on this, but I'm having a really hard time getting that Sinatra app to run. I keep getting undefined methodto_i' for #OmniAuth::Builder:0x1023f1e90`.

@jamesarosen

This comment has been minimized.

Show comment
Hide comment
@jamesarosen

jamesarosen Feb 13, 2011

Contributor

Strike that. It's a Sinatra .rb file, not a Rack .ru file.

Contributor

jamesarosen commented Feb 13, 2011

Strike that. It's a Sinatra .rb file, not a Rack .ru file.

@jamesarosen

This comment has been minimized.

Show comment
Hide comment
@jamesarosen

jamesarosen Feb 13, 2011

Contributor

I've figured it out; I just haven't figured out how to write the test.

Contributor

jamesarosen commented Feb 13, 2011

I've figured it out; I just haven't figured out how to write the test.

@jamesarosen

This comment has been minimized.

Show comment
Hide comment
@jamesarosen

jamesarosen Feb 13, 2011

Contributor

Resolved in 31cb192

Contributor

jamesarosen commented Feb 13, 2011

Resolved in 31cb192

sergioazevedo pushed a commit to intelie/omniauth that referenced this issue Jun 8, 2011

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment