Golang CAS Client package
License: MIT License
CAS provides a http package compatible client implementation for use with securing http frontends in golang.
import "gopkg.in/cas.v2"
If you are using go modules, get the library by running:
go get gopkg.in/[email protected]
Documentation is available at: https://pkg.go.dev/gopkg.in/cas.v2
Examples are included in the documentation but are also available in the
_examples directory.
hi there,
my work's CAS server is returning a response like
<?xml version="1.0" encoding="UTF-8"?>
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>bhenderson</cas:user>
<cas:attributes>
<cas:user_id>1234</cas:user_id>
<cas:login>bhenderson</cas:login>
<cas:name>Brian Henderson</cas:name>
<cas:email>[email protected]</cas:email>
<cas:reports_to>myboss</cas:reports_to>
</cas:attributes>
<cas:attribute name="user_id" value="1234"/>
<cas:attribute name="login" value="bhenderson"/>
<cas:attribute name="name" value="Brian Henderson"/>
<cas:attribute name="email" value="[email protected]"/>
<cas:attribute name="reports_to" value="myboss"/>
</cas:authenticationSuccess>
</cas:serviceResponse>and the extra attributes aren't getting picked up. Do you have any suggestions? I don't know a lot about what a correct response should look like, so I don't know if my company is wrong (our CAS server is old) or if the spec is just really broad.
thanks,
Hello, thank you for this library. I have it set up on Google App Engine however I needed to modify the example a bit since it needs to run in init(). It's worth pointing that I got it working when I wasn't using app engine.
Any idea why I would get a redirect infinite loop? What appears to be happening is my server redirects to cas server and then the cas server redirects back to my server and then my server redirects back to the cas server forever.
func init() {
flag.StringVar(&casURL, "url", "", "CAS server URL")
flag.Parse()
casURL = "URLREMOVED"
if casURL == "" {
flag.Usage()
return
}
//glog.Info("Starting up")
m := http.NewServeMux()
m.Handle("/", MyHandler)
url, _ := url.Parse(casURL)
client := cas.NewClient(&cas.Options{
URL: url,
})
http.Handle("/", client.Handle(m)) // <--- is the error related to this line?
}```
Seen your code.
Use clientHandler(handler.go) to wrap the real user's handler.
But the problem is beego already wrap http.Handler, user no need to create own handler, just Controller + Router will work fine.
So i create a beego_helpers.go in the project to do some tricky thing. I am an new goer, I think you can come out a better solution.
beego is a web framework. beego.me
beego_helper.go:
package cas
import (
"net/http"
"github.com/golang/glog"
)
type BeegoCASData struct {
userName string
}
func (bcd *BeegoCASData) GetUserName() string {
return bcd.userName
}
func ServeBeego(w http.ResponseWriter, r *http.Request, c *Client) *BeegoCASData {
if glog.V(2) {
glog.Infof("cas: handling %v request for %v", r.Method, r.URL)
}
setClient(r, c)
defer clear(r)
c.getSession(w, r)
if !IsAuthenticated(r) {
RedirectToLogin(w, r)
return nil
}
if r.URL.Path == "/logout" {
RedirectToLogout(w, r)
return nil
}
return &BeegoCASData{
userName: Username(r),
}
}
CAS3.0 server return AuthenticationDate with ZonedDateTime src, but go-cas parse it with time.Time, so i get the error bellow:
parsing time "2018-06-21T14:44:52.715+08:00[Asia/Shanghai]": extra text: [Asia/Shanghai]
the response is:
curl "http://cas.example.com/p3/serviceValidate?service=http://localhost:9000&ticket=ST-2344-9oiwc7g9_xg5HBxx3T371X4ARLI-db796d3ad01b"
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>helphi</cas:user>
<cas:attributes>
<cas:credentialType>RememberMeUsernamePasswordCredential</cas:credentialType>
<cas:isFromNewLogin>true</cas:isFromNewLogin>
<cas:mail>[email protected]</cas:mail>
<cas:authenticationDate>2018-06-21T13:43:07.597+08:00[Asia/Shanghai]</cas:authenticationDate>
<cas:authenticationMethod>LdapAuthenticationHandler</cas:authenticationMethod>
<cas:successfulAuthenticationHandlers>LdapAuthenticationHandler</cas:successfulAuthenticationHandlers>
<cas:longTermAuthenticationRequestTokenUsed>true</cas:longTermAuthenticationRequestTokenUsed>
<cas:sn>helphi.he</cas:sn>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
I've been trying to get your library working, it auths correctly and the ticket it gets back is correct, but i keep running into the fact that cas.IsAuthenticated(r) always returns false.
I thought i was doing something wrong so i copied and pasted your example word for word and again it comes back false and sits in a loop redirecting back to the cas server.
Is it possible to have an updated example, or even confirmation that it is correct as is.
Thank you
~Anti
Hi, @geoffgarside . How about replace session with an sessionStore interface? so we can inplement this interface with redisStore.
For now, session data was kept in memory, when we deploy multi web server instances, session data was not be shared between those instances. Meanwhile, when we restart instance, those session data has been flushed.
It's now very convenient to use.
the example has problem:_examples/cas-chi.go
too many redirescts
AFAIK, the mapping between cookie, session and ticket are as follow:
cookie key --> cookie value(also session key)
session key --> session value(also service ticket)
service ticket --> authentication info.
Lines 356 to 365 in 87e080a
c.sessions.Get(cookie.Value) gets the session value(also the service ticket), while c.deleteSession() should receive the session key as the parameter. We passed session value as session key, so the deleteSession does not work here.
I deployed a service and printed the header information of the request. The X-Forwarded-Host field is an ip, which is frustrating
https://github.com/go-cas/cas/blob/v2.2.2/client.go#L113
Then the RedirectToLogin function 302 to the sso.xx.com/cas/login?service=10.x.x.x:1234/cas address, which is not the same as the callback address I set in the enterprise, resulting in authentication failure
Can we set the redirected host in some way?
$ go run cas-chi.go
# command-line-arguments
./cas-chi.go:29:17: client.Handler undefined (type *cas.Client has no field or method Handler)hi, guys
I use go-case and it works great!
I have a small request. In our prod, the cas client must access cas client with an internal API to complete ServiceTicketValidator func. I found that the CAS httpClient is same with stValidator httpClient:
return &Client{
tickets: tickets,
client: client,
urlScheme: urlScheme,
cookie: cookie,
sessions: sessions,
sendService: options.SendService,
stValidator: NewServiceTicketValidator(client, options.URL),
}
I want add a func:
// SetStValidator set ServiceTicketValidator for the client
func (c *Client) SetStValidator(stValidator *ServiceTicketValidator) {
c.stValidator = stValidator
}
so that I can set a ServiceTicketValidator with a different httpclient.
Thanks
Is there any plans for adding SAML 1.1 Ticket Validation?
Currently, I am able to authenticate to receive a ticket and my username from my enterprise CAS server but am unable to retrieve attributes and it appears the issue is caused by my corporate server requiring the additional SAML step for attribute release. Is there any plans for supporting this?
Thanks
It works for Echo too #27 (comment)
@bbiao has volunteered to take over maintainership. Member access to the go-cas organisation has been granted.
Hello, I use go-case with revel and it works great!
I have a small request, to pass in prod I need to secure the cookies CAS. Can you add this option when creating a NewClient?
From:
casAuthClient := cas.NewClient(&cas.Options{
URL: parsedUrl,
})To:
casAuthClient := cas.NewClient(&cas.Options{
URL: parsedUrl,
CookieHttpOnly: true,
CookieSecure: true
})And when creating a session:
From:
// getCookie finds or creates the session cookie on the response.
func getCookie(w http.ResponseWriter, r *http.Request) *http.Cookie {
c, err := r.Cookie(sessionCookieName)
if err != nil {
// NOTE: Intentionally not enabling HttpOnly so the cookie can
// still be used by Ajax requests.
c = &http.Cookie{
Name: sessionCookieName,
Value: newSessionId(),
MaxAge: 86400,
HttpOnly: false,
}
if glog.V(2) {
glog.Infof("Setting %v cookie with value: %v", c.Name, c.Value)
}
r.AddCookie(c) // so we can find it later if required
http.SetCookie(w, c)
}
return c
}To:
// getCookie finds or creates the session cookie on the response.
func (client *Client) getCookie(w http.ResponseWriter, r *http.Request) *http.Cookie {
cookie, err := r.Cookie(sessionCookieName)
if err != nil {
// NOTE: Intentionally not enabling HttpOnly so the cookie can
// still be used by Ajax requests.
/*
c = &http.Cookie{
Name: sessionCookieName,
Value: newSessionId(),
MaxAge: 86400,
HttpOnly: false,
}
*/
cookie = &http.Cookie{
Name: sessionCookieName,
Value: newSessionId(),
MaxAge: 86400,
HttpOnly: client.CookieHttpOnly,
Secure: client.CookieSecure,
}
if glog.V(2) {
glog.Infof("Setting %v cookie with value: %v", cookie.Name, cookie.Value)
}
r.AddCookie(cookie) // so we can find it later if required
http.SetCookie(w, cookie)
}
return cookie
}No problem reported with Ajax and HttpOnly, you just need to use the option "credentials: 'same-origin'"
Thank you
I have a requirement to add parameters after the login address.How to customize the login address
Hi
Thanks for providing a really useful package
What is the idea behind using glog? It's repository hasn't been updated in 4 years and It is a little bit annoying to have a hardcoded logging package inside a library.
custom client URLSchema
But in ServiceTicketValidator,ServiceValidateUrl then path is hard-code???
func (validator *ServiceTicketValidator) ServiceValidateUrl(serviceUrl *url.URL, ticket string) (string, error) {
u, err := validator.casUrl.Parse(path.Join(validator.casUrl.Path, "serviceValidate"))
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.