Announcement Announcement Module
Collapse
No announcement yet.
OAuth 2.0 Provider Integration with CAS SSO? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAuth 2.0 Provider Integration with CAS SSO?

    We want to use CAS as our SSO, but leverage OAuth 2.0 for our mobile application to communicate with our services. The mobile application should use the Resource Owner Password Credentials grant as outlined in section 4.3 of the OAuth 2.0 specification draft. CAS has an OAuth wrapper, but it only supports a Authorization Code grant type.

    The idea is to use CAS for SSO for our web applications, and utilize a Spring application to act as an OAuth 2.0 wrapper for CAS that supports a Resource Owner Password Credentials workflow for our mobile app.

    Is this possible? I'm somewhat new at SSO and OAuth.

  • #2
    Hi,

    I'm the creator of the OAuth support for CAS.

    Your scenario is not totally clear to me : you have a mobile application which is not a web application, haven't you ?
    You want to fill the login/password in this mobile app, check these information against the OAuth/CAS provider and then access web services using the same identity checked by the provider. Correct ?

    Thanks.
    Best regards,
    Jérôme

    Comment


    • #3
      Sounds right. We have a separate spring webapp providing a REST endpoint for the mobile app. The resource owner will be the user of the mobile application and provide his credentials through there.

      Comment


      • #4
        Hi,

        You could use both mechanisms (CAS or OAuth). It really depends on your skills/constraints and already existing service.

        On one hand, you could authenticate with login/password at the CAS server by using its REST API and then get a service ticket to access your web service protected by a CAS client.

        On the other hand, you could turn your web service into a resource and authorization OAuth 2 server by using the Spring Security OAuth library, authenticate with login/password, get an access token and use it to access the web service.

        Best regards,
        Jérôme

        Comment


        • #5
          You're right about using the REST API for CAS, and that's an option we're considering for the mobile app. I'm not on that team, but I assume they want to use OAuth because of the libraries that already exist for that.

          We still want to use CAS as our SSO for our 4 webapps (one of which is simply a REST interface). Those 4 webapps would use spring-security-cas and a web redirect for authentication. Only the REST webapp needs OAuth capabilities for the sake of the mobile app.

          So if the mobile app speaks OAuth, could I make our webapp request service tickets from the CAS server and issue OAuth access/refresh tokens to the mobile app? I assume I'd have to either create a convention (like you did with CAS name/description <==> OAuth client_id/client_secret) or have a table in the database relating CAS service tickets with oauth access tokens.

          On the other hand, it might be easier to fork cas-server-support-oauth and add the type of grant I need. Now that I wrote those last few paragraphs it sounds like I'm re-inventing the oauth wrapper. Does this seem feasible?

          Comment


          • #6
            Hi,

            Service tickets are given by the CAS server, not requested by web applications. So I would not try to implement a solution at the web app level.

            I think that the best solution is to improve the cas-server-support-oauth module to support the user credentials grant type.

            Your timing is perfect as I plan to spend time on OAuth module in April : see this dicussion on CAS dev list : https://lists.wisc.edu/read/messages?id=26666352.

            So far, the OAuth server support is a web facade, delegating to CAS login webflow for authentication and completely built on CAS internals : codes are service tickets and access tokens are TGTs. The idea is also to keep both authentications (CAS and OAuth). However, it's custom code and I think it can be greatly improved by using Spring Security OAuth.
            First, we could replace the custom code by Spring Security OAuth one (just the authorization code grant type).
            Then, we could easily add support for the user credentials grant type.

            I'll be happy to participate/help on this. I propose we continue this dicussion in private : [email protected].

            Best regards,
            Jérôme

            Comment

            Working...
            X