Implement proxy ticket service and proxy ticket validation

[Doccrazy]

Proxy ticket granting and validation is a mandatory CAS 2.0 feature and should be supported. However not many clients use it and it is not required for basic SSO functionality.

The basic flow is the following:

1. An intermediary service (proxy) requests a proxy granting ticket (PGT) for a user upon his call to serviceValidate during user login
2. The proxy stores the PGT with the user session
3. At a later point, the proxy can use this PGT to request service tickets from the IP (Keycloak) for a 3rd party service in the name of the user by calling /proxy
4. The proxy can now call an API on the 3rd party service using the user's credentials
5. The 3rd party service calls /proxyValidate instead of /serviceValidate to validate the proxy ticket

Affects the following endpoints:

• /proxy [CAS 2.0]
• /proxyValidate [CAS 2.0]

Web flow diagram: https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html#proxy-web-flow-diagram CAS specification link: https://apereo.github.io/cas/5.0.x/protocol/CAS-Protocol-Specification.html#proxyvalidate-cas-20

[cromra]

It seems one project to come will need this feature to work. Have you found any time to spend on its implementation ?

[Doccrazy]

Sorry, there has been no progress in implementing support for the CAS proxy flow. This is a complex feature that is not widely used, and has mostly been replaced by OAuth.

If possible, I would recommend switching your project to standardized OAuth 2.0 authentication. But contributions are always welcome! I don't think I will find the time to implement this in the near future.

[cromra]

thank you for your response, unfortunately, this upcoming application won't evolve to support oauth2.0 in a near future. I'm not sure i have the skills to develop this, i will try try to have a look.