cas3.5.x (x>1) supports OAUTH2 server

Source: Internet
Author: User
Tags app service oauth

Original address: http://my.oschina.net/sayi/blog/200278

Catalogue [-]

    • OAuth Support
    • Some background on access:
    • Step1. Apply configurations to get client_id and Client_secret
    • Step2. Oauth client constructs URL, gets Authorization_code
    • Step3. Authorization Code Exchange Access_token
    • Step4. Get user information based on Access_token
    • Summarize
OAuth Support

cas3.5.x provides support for OAuth, including client and server side, Cas-server-support-oauth dependency rack Package

Scribe-1.3.5.jar
Scribe-up-1.2.0.jar
Jackson-core-2.3.0.jar,jackson-databind-2.3.0.jar.

CAS provides three services by default:
/oauth2.0/authorize
Input GET parameters required:client_id and Redirect_uri.
/oauth2.0/accesstoken
Input GET Parameters required:client_id, Redirect_uri, Client_secret and code.
/oauth2.0/profile
Input GET parameter Required:access_token.

Some background on access:

The 1.cas Web login access path is Https://cas.sayi.com:8443/cas/login
2. Callback address is http://www.doubannote.org/(virtual address, not actually present)
3.CLIENT_ID as key
4.client_secret to Secret
5. The application name is Doubannote
6. Core class is Org.jasig.cas.support.oauth.web.OAuth20WrapperController

The following configuration of CAS server support Oauth2 server, we from the OAUTH2 client to CAS access as a step to analyze the configuration of each step:

Step1. Apply configurations to get client_id and Client_secret

In a mature system, where a page is typically provided for the user to apply for, then the user client_id and Client_secret are provided, and the user is allowed to configure the callback address, then the Oauthserver side (that is, CAS Server) first considers the need to persist these configurations. The app service is configured by default in the Serviceregistrydao of the file Deployerconfigcontext.xml, and we can store the application information in the database in real-life:

?
12345678910111213141516171819 <bean    id="serviceRegistryDao"    class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">        <property name="registeredServices">            <list>                <bean class="org.jasig.cas.services.RegisteredServiceImpl">                    <property name="id" value="1" />                    <property name="name" value="HTTP" />                    <property name="description" value="oauth wrapper callback url" />                    <property name="serviceId" value="${server.prefix}/oauth2.0/callbackAuthorize" />                </bean>               <bean class="org.jasig.cas.services.RegisteredServiceImpl">                <property name="id" value="2" />                <property name="name" value="key" />                <property name="description" value="secret" />                <property name="serviceId" value="http://www.doubannote.org/" />                <property name="theme" value="DoubanNote" />              </bean>              ......

As shown in the code, we have registered two new beans, the configuration of the application in the second bean, name client_id,description to Client_secret,serviceid as the callback address, and theme as the app name.
The purpose of the first bean is described below. "Finally figured out why this is so, the server indirectly get ST"

Step2. Oauth client constructs URL, gets Authorization_code

Typically the client constructs the URL as follows (parameters can refer to standard OAUTH2 protocol, but different OAuth servers usually provide their own standards):

?
1 https://cas.sayi.com:8443/cas/oauth2.0/authorize?client_id=key&redirect_uri=http://www.doubannote.org/&response_type=code

In this case, the CAS server is required to process the/oauth2.0/authorize URL, then you need to configure the mapping, which is configured in Web. Xml as follows:

?
1234 <servlet-mapping>    <servlet-name>cas</servlet-name>    <url-pattern>/oauth2.0/*</url-pattern></servlet-mapping>

To configure mappings in Cas-servlet.xml:

?
1234567 <prop key="/oauth2.0/*">oauth20WrapperController</prop>......<bean id="oauth20WrapperController"    class="org.jasig.cas.support.oauth.web.OAuth20WrapperController"    p:loginUrl="${server.prefix}/login" p:servicesManager-ref="servicesManager"    p:ticketRegistry-ref="ticketRegistry" p:timeout="7200" />

Once configured, the link to our authorization code is shifted to the login page, where the service address is the Serviceid of the first bean configured in Step1, which is obtained indirectly through this default provided address.

?
1 https://cas.sayi.com:8443/cas/login?service=https%3A%2F%2Fcas.sayi.com%3A8443%2Fcas%2Foauth2.0%2FcallbackAuthorize

After successful authentication, will carry the value of St's parameters to jump to the Callbackauthorize page, the resulting ST is the authorization Code, callback address, service name passed through the session.

?
1 https://cas.sayi.com:8443/cas/oauth2.0/callbackAuthorize?ticket=ST-5-ywMLFaXQFnDeFI7erFy7-cas.sayi.com

The default authorization code can only be used once, and the validity time is 10s, can be configured by the ticket expiration policy time.

Step3. Authorization Code Exchange Access_token

The URL is constructed as follows:

?
123 https://cas.sayi.com:8443/cas/oauth2.0/accessToken?client_id=key&client_secret=secret&grant_type=authorization_code&redirect_uri=http://www.doubannote.org/&code=ST-1-3jLuZnhcAvLiLdy7R6ft-cas.sayi.comaccess_token=TGT-2-qWkLyEbeoby043q05p5GHXfBg7qtdPZjEUhfemgg3UKbxAyB5s-cas.sayi.com&expires=7143

Access_token can be obtained by returning the value.

Step4. Get user information based on Access_token

Construct the URL as follows:

?
12345678910111213141516 https://cas.sayi.com:8443/cas/oauth2.0/profile?access_token=TGT-1-gn3p9EMfFEajKOJ9DdNqd2PefJdIbIeXuESyzU4EctMtBqITRG-cas.sayi.com{"id":"sayi",    "attributes":[        {            "uid":"uid"        },        {            "eduPersonAffiliation":"eduPersonAffiliation"        },        {            "groupMembership":"groupMembership"        }    ]}
Summarize

CAS server support Oauth2 server, is simply to consider the/authorize,/accesstoken,/profile request processing, after the server application configuration, the application of access to check, such as callback address, Client_ Secret and so on. In the fusion with CAS server, it is mainly the fusion of CAS authentication and/authorize. Here is the Callbackauthorize way, CAS default provides the service address of/oauth2.0/callbackauthorize, through this address CAS authentication after the successful generation of St, this value is the authorization code, The callback address that is passed to the app.
Overall oauth2 support in the cas3.5.x is not perfect, and OAuth2 implementation is not standard, for the 3.5.x version we need to expand Oauth20wrappercontroller to further integrate OAUTH2 protocol.

cas3.5.x (x>1) supports OAUTH2 server

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.