Skip to end of metadata
Go to start of metadata
Table of Contents

Icon

OAuth support is only available in CAS server version >= 3.5.0.

Since CAS server 4.0, the OAuth client support has been moved to the cas-server-support-pac4j module.

Security alert on OAuth server support 3.5.0

Icon

In CAS server 3.5.0, for OAuth server support : if there is an error on authorize call, the user is redirected back to the redirect_uri url with the error as a GET parameter. This is a security breach because at this moment, the callback url (redirect_uri) has not been validated.

The cas-server-support-oauth module version 3.5.1 is necessary to use the OAuth server support.

 

The CAS server supports two kinds of OAuth support. Though, both modes are totally independent. OAuth client support can be used without OAuth server support and OAuth server support can be used without OAuth client support.

 

I. OAuth client support

For CAS server 3.5.x, the cas-server-support-oauth module was made to add OAuth client support to the CAS server. It means that the CAS server can support OAuth protocol as an OAuth client : in this case, CAS authentication can be delegated to an OAuth provider like Facebook, GitHub, Google, LinkedIn, Twitter, Yahoo, Windows Live, WordPress... or even an another CAS server using OAuth wrapper.

The 3.5.0 version is the first release of the cas-server-support-oauth module.

Since CAS server 4.0.0, the OAuth client support has been moved to the cas-server-support-pac4j module.

Configuration for the OAuth client support in CAS server version 3.5.0

Configuration for the OAuth client support in CAS server version >= 3.5.1

 

II. OAuth server support

The cas-server-support-oauth module brings OAuth server support to CAS server : in this case, CAS acts as an OAuth server, communicating through OAuth protocol version 2.0 with OAuth clients.

The 3.5.0 version is the first release of the cas-server-support-oauth module.

A demo to see OAuth (client and server) support in CAS server >= 4.0.0 is available at https://github.com/leleuj/cas-pac4j-oauth-demo.

A demo to see OAuth (client and server) support in CAS server >= 3.5.1 is available at https://github.com/leleuj/cas-oauth-demo-3.5.x.

 

  • No labels