CAS 4.0.0: Will it support OIDC (OpenID Connect) features

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CAS 4.0.0: Will it support OIDC (OpenID Connect) features

yarra srinivas
Hi Folks,

We' re using pretty older version of CAS component (i.e. 4.0.0) for authentication purpose. As per requirement, we don't want to upgrade the CAS Server component; If possible delegate the authentication to third party component like Keycloak. So, to avoid the CAS component upgrade and it's inter-dependency components like spring and other modules in the project.

My basic a doubts as:

1. Will it possible with CAS 4.0.0 to delegate authentication to Keycloak Server?
2. if so, what will be best robust delegate the authentication techniques based on CAS 4.0.0 help us to connect to Keycloak component.


Thanks,
Yarra

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/24bda63e-781f-4bee-ba0d-8b2bb01f2d80n%40apereo.org.
Reply | Threaded
Open this post in threaded view
|

Re: CAS 4.0.0: Will it support OIDC (OpenID Connect) features

Jérôme LELEU
Hi,

pac4j v1.7.0 is an old version based on an old version of the Nimbus SDK without default support for Keycloak.

So, even if it is feasible, you'll need customisations to make it work.

As I said on the pac4j mailing list, I highly recommend upgrading the CAS server.

Thanks.
Best regards,
Jérôme
 

Le lun. 28 sept. 2020 à 19:47, yarra srinivas <[hidden email]> a écrit :
Hi Folks,

We' re using pretty older version of CAS component (i.e. 4.0.0) for authentication purpose. As per requirement, we don't want to upgrade the CAS Server component; If possible delegate the authentication to third party component like Keycloak. So, to avoid the CAS component upgrade and it's inter-dependency components like spring and other modules in the project.

My basic a doubts as:

1. Will it possible with CAS 4.0.0 to delegate authentication to Keycloak Server?
2. if so, what will be best robust delegate the authentication techniques based on CAS 4.0.0 help us to connect to Keycloak component.


Thanks,
Yarra

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/24bda63e-781f-4bee-ba0d-8b2bb01f2d80n%40apereo.org.

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAP279LyFB6CBeZ_ta%3D5p4Y6PjuAQCj_ZvcZSCbkS0_PYFfBZxQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: CAS 4.0.0: Will it support OIDC (OpenID Connect) features

yarra srinivas
Thank you @leleuj for your detail information. I understand your comment, but, based on customer requirements; I'm exploring the feasibility & constraints if we use CAS 4.0.0 version;

On Tuesday, September 29, 2020 at 1:22:52 PM UTC+5:30 leleuj wrote:
Hi,

pac4j v1.7.0 is an old version based on an old version of the Nimbus SDK without default support for Keycloak.

So, even if it is feasible, you'll need customisations to make it work.

As I said on the pac4j mailing list, I highly recommend upgrading the CAS server.

Thanks.
Best regards,
Jérôme
 

Le lun. 28 sept. 2020 à 19:47, yarra srinivas <[hidden email]> a écrit :
Hi Folks,

We' re using pretty older version of CAS component (i.e. 4.0.0) for authentication purpose. As per requirement, we don't want to upgrade the CAS Server component; If possible delegate the authentication to third party component like Keycloak. So, to avoid the CAS component upgrade and it's inter-dependency components like spring and other modules in the project.

My basic a doubts as:

1. Will it possible with CAS 4.0.0 to delegate authentication to Keycloak Server?
2. if so, what will be best robust delegate the authentication techniques based on CAS 4.0.0 help us to connect to Keycloak component.


Thanks,
Yarra

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/24bda63e-781f-4bee-ba0d-8b2bb01f2d80n%40apereo.org.

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/cb05d319-97ec-4f4c-bf70-1a81518982fan%40apereo.org.
Reply | Threaded
Open this post in threaded view
|

Re: CAS 4.0.0: Will it support OIDC (OpenID Connect) features

yarra srinivas
Hi @leleuj,

Kindly guide to parse or cas understand response from keycloak; It will be great help me to proceed further. As you said previous; it might require some customisation; Could you please guide me if possible: am I doing something wrong in oidcClient configuration: @applicationContext.xml file.
<bean id="keyCloakOpenid" class="org.pac4j.oidc.client.OidcClient">
<property name="name" value="openid" />
<property name="clientID" value="yarra-client" />
<property name="secret" value="e374ff0-f724-411d-b6474-46aea4b62a6f" />
<property name="discoveryURI" value="http://hostname:8080/auth/realms/yarra/.well-known/openid-configuration" />
    </bean>
<bean id="clients" class="org.pac4j.core.client.Clients">
<property name="callbackUrl" value="https://hostname:8443/cas/login" />
<property name="clientNameParameter" value="KeycloakOIDC" />
<property name="clients">
<list>
<ref bean="keyCloakOpenid" />
</list>
</property>
  </bean>
login-webflow.xml:
<action-state id="clientAction">
<evaluate expression="clientAction" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="ticketGrantingTicketCheck" />
<transition on="stop" to="stopWebflow" />
</action-state>
<view-state id="stopWebflow" />
 <action-state id="ticketGrantingTicketCheck">
        <evaluate expression="ticketGrantingTicketCheckAction"/>
        <transition on="notExists" to="gatewayRequestCheck"/>
        <transition on="invalid" to="terminateSession"/>
        <transition on="valid" to="hasServiceCheck"/>
    </action-state>

org.springframework.webflow.engine.NoMatchingTransitionException: No transition was matched on the event(s) signaled by the [1] action(s) that executed in this action state 'ticketGrantingTicketCheck' of flow 'login'; transitions must be defined to handle action result outcomes -- possible flow configuration error? Note: the eventIds signaled were: 'array<String>['success']', while the supported set of transitional criteria for this action state is 'array<TransitionCriteria>[notExists, invalid, valid]'

Kindly help me;



On Tuesday, September 29, 2020 at 1:51:04 PM UTC+5:30 yarra srinivas wrote:
Thank you @leleuj for your detail information. I understand your comment, but, based on customer requirements; I'm exploring the feasibility & constraints if we use CAS 4.0.0 version;

On Tuesday, September 29, 2020 at 1:22:52 PM UTC+5:30 leleuj wrote:
Hi,

pac4j v1.7.0 is an old version based on an old version of the Nimbus SDK without default support for Keycloak.

So, even if it is feasible, you'll need customisations to make it work.

As I said on the pac4j mailing list, I highly recommend upgrading the CAS server.

Thanks.
Best regards,
Jérôme
 

Le lun. 28 sept. 2020 à 19:47, yarra srinivas <[hidden email]> a écrit :
Hi Folks,

We' re using pretty older version of CAS component (i.e. 4.0.0) for authentication purpose. As per requirement, we don't want to upgrade the CAS Server component; If possible delegate the authentication to third party component like Keycloak. So, to avoid the CAS component upgrade and it's inter-dependency components like spring and other modules in the project.

My basic a doubts as:

1. Will it possible with CAS 4.0.0 to delegate authentication to Keycloak Server?
2. if so, what will be best robust delegate the authentication techniques based on CAS 4.0.0 help us to connect to Keycloak component.


Thanks,
Yarra

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/24bda63e-781f-4bee-ba0d-8b2bb01f2d80n%40apereo.org.

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/ab8d6a46-f6a6-4a9c-97d4-91050945cdaan%40apereo.org.