Can't have CAS and "standard" login in //

[CEG-Ecoles]

I use CAS authentication with success on a WebForm app. Now, I need to let some users login to my app with standard login form (with a special URL). So I modify my web.config to remove security access on the login page, so the user can access it. After the postback, it's ok, he is authenticated (presence of .ASPXAUTH cookie with a value). But after he is redirected on next page and DotNetCasClient clear this cookie, so my user is no longer authenticated.

CasAuthenticationModule.OnAuthenticateRequest() -> CasAuthentication.ProcessRequestAuthentication() -> CasAuthentication.GetFormsAuthenticationTicket() -> CasAuthentication.ClearAuthCookie()

ClearAuthCookie() is called because UserData of FormsAuthenticationTicket is null.

Why always call CasAuthentication.ProcessRequestAuthentication() even if user is allready authenticated ?

[CEG-Ecoles]

Bump

[TheHokieCoder]

@CEG-Ecoles Sorry for the delay in responding. Unfortunately me and the few others that contribute these days are quite busy with our day jobs. Without digging deeper into the specifics about how you are doing the "standard" logging in of users, my initial guess would be that you are wanting both DotNetCasClient and standard web forms authentication methods to work at the same time, which I don't believe is possible. I believe that DotNetCasClient was written to pretty much wipe the slate clean if there are any issues with the service ticket validation for each request. So when you have a "standard" log in user hit a CAS-enabled page, DotNetCasClient thinks something is amiss (because there isn't a service ticket to validate the authentication), so it wipes out everything. This is probably a mechanism to help against ticket hijacking or spoofing.

Is there any way that you might be able to provision those users as guest accounts of some sort in the directory that backs your CAS server? That would be the least painless way to solve your problem, but may not be doable in your org. Or stand up a service provider that can proxy authentication of your "standard" users to your CAS server?

If you can't do either of those, let me know. I'll think harder about your use case. I don't remember enough about ASP.NET identity off the top of my head to know how technically feasible multiple-authentication providers are.

[phantomtypist]

It is somewhat possible. We’ve done it at my job on one application. You basically have to choose the .NET CAS Client as the default forms authentication mechanism. Then, for certain controllers/views (if you use MVC) you manually implement your own custom membership and role providers. It's not pretty, but it works.

Another thing you may want to look into is rolling IdentityServer 4 and configure the multiple different authentication mechanisms there and your application will only talk to the IdentityServer. IMHO if you an pull that off it’s a better option.

Sent from my Windows 10 phone

---

From: TheHokieCoder notifications@github.com Sent: Friday, September 7, 2018 3:07:56 PM To: apereo/dotnet-cas-client Cc: Subscribed Subject: Re: [apereo/dotnet-cas-client] Can't have CAS and "standard" login in // (#89)

@CEG-Ecoleshttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCEG-Ecoles&data=02%7C01%7C%7Cc71eda5d8d8543a7273008d614f538a9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636719440773712676&sdata=44IQoxHvwuAhnPQZiRQrVcyT6ShBV3ezViyDR9xU%2BVM%3D&reserved=0 Sorry for the delay in responding. Unfortunately me and the few others that contribute these days are quite busy with our day jobs. Without digging deeper into the specifics about how you are doing the "standard" logging in of users, my initial guess would be that you are wanting both DotNetCasClient and standard web forms authentication methods to work at the same time, which I don't believe is possible. I believe that DotNetCasClient was written to pretty much wipe the slate clean if there are any issues with the service ticket validation for each request. So when you have a "standard" log in user hit a CAS-enabled page, DotNetCasClient thinks something is amiss (because there isn't a service ticket to validate the authentication), so it wipes out everything. This is probably a mechanism to help against ticket hijacking or spoofing.

Is there any way that you might be able to provision those users as guest accounts of some sort in the directory that backs your CAS server? That would be the least painless way to solve your problem, but may not be doable in your org. Or stand up a service provider that can proxy authentication of your "standard" users to your CAS server?

If you can't do either of those, let me know. I'll think harder about your use case. I don't remember enough about ASP.NET identity off the top of my head to know how technically feasible multiple-authentication providers are.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapereo%2Fdotnet-cas-client%2Fissues%2F89%23issuecomment-419536774&data=02%7C01%7C%7Cc71eda5d8d8543a7273008d614f538a9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636719440773712676&sdata=fDHZM3GSo0QIyABXoPfcatJFHbmt527%2FmNXYsXa6USg%3D&reserved=0, or mute the threadhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABtFsJdIjo2RYCrh4x9ofOWIPq4u02Ueks5uYsQMgaJpZM4WLV6L&data=02%7C01%7C%7Cc71eda5d8d8543a7273008d614f538a9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636719440773712676&sdata=H%2Bd%2BZ1%2BO1D3vaier%2BHCt5SO%2B3CPyd8LpyUYsUqoYnz8%3D&reserved=0.

[TheHokieCoder]

@phantomtypist I understood it that he wants to be able to use the mixed bag of authentication on ALL pages (he said web forms) of his app, hence why DotNetCasClient is tripping over the standard forms authentication. e.g. default.aspx is protected by DotNetCasClient while secret-login.aspx is standard forms. Login succeeds when authenticated via secret-login.aspx, but when going to default.aspx, DotNetCasClient blows away the forms authentication ticket, presumably because it doesn't match what it has in its cache. Therefore the standard forms authentication is lost. @CEG-Ecoles can you confirm this?

I agree that it would be possible to do separate authentication on different pages/areas, but I'm not sure about multiple authentication providers on ALL pages/areas of the application. Even with things like Facebook/Google authentication integration, they are still being aggregated (or however you want to call it) together via a single standard like Oauth. DotNetCasClient doesn't support anything like that, OOB, right?

[phantomtypist]

Nope, .NET CAS client doesn’t support that concept out of the box. I think I you want to achieve that you'll have to stand up IdentityServer 4 and have your application perform authentication against that. IdentityServer will be able to use a multitude of different with providers including CAS.

Sent from my Windows 10 phone

---

From: TheHokieCoder notifications@github.com Sent: Friday, September 7, 2018 3:30:15 PM To: apereo/dotnet-cas-client Cc: Jason Kanaris; Mention Subject: Re: [apereo/dotnet-cas-client] Can't have CAS and "standard" login in // (#89)

@phantomtypisthttps://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fphantomtypist&data=02%7C01%7C%7C0cfe9dc3b5694ebba17f08d614f856ac%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636719454161455818&sdata=gl07yyHCxp1FhKBTrAXcVGm3rrq7IZUzVV9QTeYIDAY%3D&reserved=0 I understood it that he wants to be able to use the mixed bag of authentication on ALL pages (he said web forms) of his app, hence why DotNetCasClient is tripping over the standard forms authentication. e.g. default.aspx is protected by DotNetCasClient while secret-login.aspx is standard forms. Login succeeds when authenticated via secret-login.aspx, but when going to default.aspx, DotNetCasClient blows away the forms authentication ticket, presumably because it doesn't match what it has in its cache. Therefore the standard forms authentication is lost. @CEG-Ecoleshttps://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCEG-Ecoles&data=02%7C01%7C%7C0cfe9dc3b5694ebba17f08d614f856ac%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636719454161455818&sdata=qN7j9cygY9TMhl%2Bxe0h5AfMar7PSse9v2PLf6tlXZN0%3D&reserved=0 can you confirm this?

I agree that it would be possible to do separate authentication on different pages/areas, but I'm not sure about multiple authentication providers on ALL pages/areas of the application. Even with things like Facebook/Google authentication integration, they are still being aggregated (or however you want to call it) together via a single standard like Oauth. DotNetCasClient doesn't support anything like that, OOB, right?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapereo%2Fdotnet-cas-client%2Fissues%2F89%23issuecomment-419542658&data=02%7C01%7C%7C0cfe9dc3b5694ebba17f08d614f856ac%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636719454161455818&sdata=gT%2FogVdgD8JOum3BUeLf9cNK03Z5tV2ytPK12R1RTLo%3D&reserved=0, or mute the threadhttps://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABtFsJqeIotO7xHZTp0D42KGA2kRNjQ4ks5uYslHgaJpZM4WLV6L&data=02%7C01%7C%7C0cfe9dc3b5694ebba17f08d614f856ac%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636719454161455818&sdata=BMoQTfgQq4vLmT0VC3457xvR6C1FUXYxBnzjt4gm3VA%3D&reserved=0.

[CEG-Ecoles]

@TheHokieCoder I confirm your description of my situation. @phantomtypist I don't know about IdentityServer 4, but on main site page, I read "for ASP.NET Core 2" (we use ASP.NET 4.5). And I don't want to change our authentication concept for that. Did you find that it is a really bad thing to not clear cookies when user is authentified but not by CAS ?

[phantomtypist]

IdentityServer is a standalone app... It is not something you build into your app. IdentityServer 4 itself is a .net core app, so yes, your are correct on that part. You can have a .net framework app like your authenticate against the separate identityserver app.

---

From: CEG - Ecoles notifications@github.com Sent: Friday, October 5, 2018 9:02:16 AM To: apereo/dotnet-cas-client Cc: Jason Kanaris; Mention Subject: Re: [apereo/dotnet-cas-client] Can't have CAS and "standard" login in // (#89)

@TheHokieCoderhttps://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FTheHokieCoder&data=02%7C01%7C%7C59d6a15da545484a9dec08d62ac2c781%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636743413383424493&sdata=hs4fsis%2FPXMm%2FCK2wqO8lLWsTvXj716%2Fu7jD9qCPVgo%3D&reserved=0 I confirm your description of me situation. @phantomtypisthttps://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fphantomtypist&data=02%7C01%7C%7C59d6a15da545484a9dec08d62ac2c781%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636743413383424493&sdata=JqDMYSS1yqN2oizs2TYBJE99jy7LqxViKaHsA1wggEk%3D&reserved=0 I don't know about IdentityServer 4, but on main site page, I read "for ASP.NET Core 2" (we use ASP.NET 4.5). And I don't want to change our authentication concept for that. Did you find that it is a really bad thing to not clear cookies when user is authentified but not by CAS ?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapereo%2Fdotnet-cas-client%2Fissues%2F89%23issuecomment-427358431&data=02%7C01%7C%7C59d6a15da545484a9dec08d62ac2c781%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636743413383424493&sdata=qy8LvVWwL%2BVZ8h%2FPY5JPNBeNJDMXku1RQfmPqCiNUo8%3D&reserved=0, or mute the threadhttps://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABtFsDZ_lmRfPQSvjit14muNVI3JPc3gks5uh1hYgaJpZM4WLV6L&data=02%7C01%7C%7C59d6a15da545484a9dec08d62ac2c781%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636743413383424493&sdata=l%2BPUO8VB2eT5kbyahGVISeceEyy7mbcWSo%2BIuMv8tUs%3D&reserved=0.

[mcamp1]

IdentityServer will be able to use a multitude of different with providers including CAS.

@phantomtypist I couldn't find anything in the Identity Server 4 documentation (or elsewhere) about using a CAS provider. Any further information on this would be appreciated. Thanks!

[phantomtypist]

@mcamp1 and @CEG-Ecoles I would follow the documentation there for Adding Support for External Authentication.

Granted, you'll have to interpret that and have it guide you down the path of implementing support for CAS. It's not going to be as simple as copy-pasting code, but I'm sure you can slog your way through it ;)

IdentityServer4 is ASP.NET core, but you can use the .NET Framework behind the scenes. IIRC this CAS client may not work and you may have to use the OWIN one from a separate project: https://github.com/noelbundick/Owin.Security.CAS

GitHub

noelbundick/Owin.Security.CAS

OWIN middleware to support Jasig CAS. Contribute to noelbundick/Owin.Security.CAS development by creating an account on GitHub.

[Khalidaba]

@phantomtypist is it possible to use CAS client in a .NET core Blazor project now? i saw that you can use IdentityServer4 in blazor but it is possible by this way to use cas client?

[phantomtypist]

@phantomtypist is it possible to use CAS client in a .NET core Blazor project now? i saw that you can use IdentityServer4 in blazor but it is possible by this way to use cas client?

@Khalidaba I've never tried that before. Go and give it a try and report back.

[TheHokieCoder]

is it possible to use CAS client in a .NET core Blazor project now?

@Khalidaba, @phantomtypist I believe that you cannot use this DotNetCasClient in a Blazor project running on the .NET Core framework because this project currently only targets .NET Framework, so .NET Core is unsupported.

However, if you were to create a Blazor project that targets .NET Standard v2.0 or earlier (the only versions that work with .NET Framework; see Code sharing and .NET Standard), it is feasible that this DotNetCasClient would work as well. I have only done a quick search to look into that possibility, so I won't guarantee that it will work as there are some minor issues of .NET Framework fully adhering to the .NET Standard.

For any .NET Core project I have been using AspNet.Security.CAS with good success, so you may want to give that a try as well.

[Khalidaba]

@phantomtypist is it possible to use CAS client in a .NET core Blazor project now? i saw that you can use IdentityServer4 in blazor but it is possible by this way to use cas client?

@Khalidaba I've never tried that before. Go and give it a try and report back.

haha, unfortunatly iam really new dev with no really experience and i dont think that i will be able to find it :-) don't even know from where to start but thanks for your answer ;-)

[Khalidaba]

is it possible to use CAS client in a .NET core Blazor project now?

@Khalidaba, @phantomtypist I believe that you cannot use this DotNetCasClient in a Blazor project running on the .NET Core framework because this project currently only targets .NET Framework, so .NET Core is unsupported.

However, if you were to create a Blazor project that targets .NET Standard v2.0 or earlier (the only versions that work with .NET Framework; see Code sharing and .NET Standard), it is feasible that this DotNetCasClient would work as well. I have only done a quick search to look into that possibility, so I won't guarantee that it will work as there are some minor issues of .NET Framework fully adhering to the .NET Standard.

For any .NET Core project I have been using AspNet.Security.CAS with good success, so you may want to give that a try as well.

Thank @TheHokieCoder i will have a look, but as i said to @phantomtypist iam really new in this world and it feel very strange that there not already something on it ( CAS Client with Blazor) and it seems for me too strong to be the first working on it But nothing to lose so i will check and try ;-) thanks