Search code examples
javaspring-bootsingle-sign-oncas

Validate token ST Apereo CAS in REST service (Stateless)

My apologies for my bad english.

I have the tool Apereo CAS using as login SSO. When i'm using with application statefuls this works very well. But i wanna call a API REST (stateless) for specific scenario and validate the logged user (and using your informations on the service). My backend API is developed with Spring Boot. Someone needed a similar situation?

Ps: This API will acess by frontend and services without frontend therefore I'll not be able to use cookies.

Sequence Diagram to exemplify my idea:

enter image description here

Thank's.

Solution

  • Your front-end application needs to ask the CAS server for proxy authentication.

    One of the more common use cases of proxy authentication is the ability to obtain a ticket for a back-end [REST-based] service that is also protected by CAS. The scenario usually is:

    • User is faced with application A which is protected by CAS.
    • Application A on the backend needs to contact a service S to produce data.
    • Service S itself is protected by CAS itself.

    Because frontend contacts service in the back-end via a server-to-service method where no browser is involved, the backend would not be able to recognize that an SSO session already exists. In these cases, front-end needs to exercise proxying in order to obtain a proxy ticket for the backend. The proxy ticket is passed to the relevant endpoint of the backend so it can retrieve and validate it via CAS and finally produce a response.

    The trace route may look like this:

    • Browser navigates to front-end.
    • Front-end redirects to CAS.
    • CAS authenticates and redirects back to front-end with an ST.
    • Front-end attempts to validate the ST, and asks for a PGT.
    • CAS confirms ST validation, and issues a proxy-granting ticket PGT.
    • Front-end asks CAS to produce a PT for back-end API, supplying the PGT in its request.
    • CAS produces a PT for backend API.
    • Front-end contacts the service S endpoint, passing along PT in the request.
    • backend API attempts to validate the PT via CAS.
    • CAS validates the PT and produces a successful response.
    • Backend API receives the response, and produces data for front-end.
    • A receives and displays the data in the browser.

    See this for details.