OAuth/OpenID Authentication
This page specifically describes how to enable OAuth/OpenID server support for CAS. If you would like to have CAS act as an OAuth/OpenID client communicating with other providers (such as Google, Facebook, etc), see this page.
To get a better understanding of the OAuth/OpenID protocol support in CAS, see this page.
Configuration
Support is enabled by including the following dependency in the Maven WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-oauth</artifactId>
<version>${cas.version}</version>
</dependency>
Add servlet mapping in web.xml
1
2
3
4
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/oauth2.0/*</url-pattern>
</servlet-mapping>
After enabling OAuth support, three new urls will be available:
-
/oauth2.0/authorize
It’s the url to call to authorize the user: the CAS login page will be displayed and the user will authenticate. After successful authentication, the user will be redirected to the OAuth callback url with a code. Input GET parameters required: client_id and redirect_uri. -
/oauth2.0/accessToken
It’s the url to call to exchange the code for an access token. Input GET parameters required: client_id, redirect_uri, client_secret and code. -
/oauth2.0/profile
It’s the url to call to get the profile of the authorized user. Input GET parameter required: access_token. The response is in JSON format with all attributes of the user.
Add OAuth Clients
Every OAuth client must be defined as a CAS service (notice the new clientId and clientSecret properties, specific to OAuth):
1
2
3
4
5
6
7
8
9
{
"@class" : "org.jasig.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "clientid",
"clientSecret": "clientSecret",
"bypassApprovalPrompt": false,
"serviceId" : "^(https|imaps)://hello.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001
}
OpenID Authentication
To configure CAS to act as an OpenID provider, please see this page.