Closed iterateNZ closed 12 years ago
Thanks, taking a look right now.
Sorry its taken so long to get back on this, the day job was in the way.
I'm having a hard time validating a fix for this. I think WebMock is altering the URL so its difficult to assert the correct value.
Do you mind checking out the issue_3
branch and manually testing it in your app?
gem 'omniauth-cas', :git => 'git://github.com/dlindahl/omniauth-cas.git', :branch => 'issue_3'
If this doesn't work, please post your log files again. Those were very useful.
Hi,
I think I ran into a similar issue. I didn't find these posts at first so I didn't try your branch for now. I use "rubycas-server" for these tests, I cannot run them at work before monday on a jasig implementation..
Using PRY, I was able to see what get_service_response_body
returns, it turned out to be that kind of thing:
> get_service_response_body
=> "<cas:serviceResponse xmlns:cas=\"http://www.yale.edu/tp/cas\">\n <cas:authenticationFailure code=\"INVALID_SERVICE\">The ticket 'ST-1327127903rB12C213912794FA12D' be longing to user 'jean-baptiste.barth@xxxxx' is valid, but the requested service 'http://localhost:3000/auth/cas/callback?url=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Ffailure%3Fmessage%3Dinvalid_ticket' does not match the service 'http://localhost:3000/auth/cas/callback?url=http://localhost:3000/auth/failure?message=invalid_ticket' associated with this ticket.</cas:authenticationFailure>\n</cas:serviceResponse>\n"
After various tries, I found that escaping the "url" parameter at first works :
> get_service_response_body
=> "<cas:serviceResponse xmlns:cas=\"http://www.yale.edu/tp/cas\">\n <cas:authenticationSuccess>\n <cas:user>jean-baptiste.barth@xxxxx</cas:user>\n </cas:authenticationSuccess>\n</cas:serviceResponse>\n"
The change consists in modifying line 148 of lib/omniauth/strategies/cas.rb :
{ :url => request.referer }
became { :url => Rack::Utils.escape(request.referer) }
Your fix in the "issue_3" branch doesn't seem to work for me at first sight, but I should have a better look at it, I did a lot of tests and don't know if my repo+gemset is still clean... It might be a better idea to escape in append_params
though.
Let me know what you think, and anyway, thanks for this gem !
@jbbarth The fix in the issue_3
branch is doing just that, escaping in append_params
.
Please double check that it is not working for you when you can and get back to me.
Thanks for your feedback!
I confirm it doesn't work as is, I keep getting a difference between urls:
> get_service_response_body
=> "<cas:serviceResponse xmlns:cas=\"http://www.yale.edu/tp/cas\">\n <cas:authenticationFailure code=\"INVALID_SERVICE\">The ticket 'ST-1327186730r93199DA6DA260006A0' be longing to user 'jean-baptiste.barth@xxxxx' is valid, but the requested service 'http://localhost:3000/auth/cas/callback?url=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Ffailure%3Fmessage%3Dinvalid_ticket' does not match the service 'http://localhost:3000/auth/cas/callback?url=http://localhost:3000/auth/failure?message=invalid_ticket' associated with this ticket.</cas:authenticationFailure>\n</cas:serviceResponse>\n"
But it works if I remove the Rack::Utils.unescape
from login_url
method.
I'll try to have a deeper look at it and provide a sample app to reproduce and/or a pull request with a test.
issue_3 branch still isn't working
Escaping everthing in append_params is fine, but you are then overriding it in login_url by explicitly unescaping it.
removing the Rack::Utils.unescape resolves the issue. def login_url(service)
cas_host + append_params( @options.login_url, { :service => service }) end
@iterateNZ -- I think that was the missing piece. I made the change you suggested and a couple small changes to the tests and everything seems to be passing again.
Update your copy of the issue_3
branch and let me know how it goes.
`bundle update omniauth-cas`
Yes that appears to be working correctly.
I've release 0.0.4 which includes this fix, please update accordingly.
Thanks for the help guys.
Service ticket is failing validation as the service_url is changing from unescaped to escaped.
https://github.com/dlindahl/omniauth-cas/blob/master/lib/omniauth/strategies/cas.rb Line 108 { :service => service_url.to_s, :ticket => ticket } Line 117 { :service => Rack::Utils.unescape(service) }
Rails Log:
Started GET "/users/auth/cas" for 127.0.0.1 at Mon Jan 16 10:12:25 +1300 2012
Started GET "/users/auth/cas/callback?url=http://127.0.0.10/&ticket=ST-1-LI2RfXBXynZ3wbFcv9Vl-sso.myacg.org" for 127.0.0.1 at Mon Jan 16 10:12:25 +1300 2012 Dalli::Server#connect 127.0.0.1:11211 Processing by Users::OmniauthCallbacksController#failure as HTML Parameters: {"ticket"=>"ST-1-LI2RfXBXynZ3wbFcv9Vl-sso.myacg.org", "url"=>"http://127.0.0.10/"} Redirected to http://127.0.0.10/users/sign_in Completed 302 Found in 1ms
Cas Log:
2012-01-16 10:12:25,445 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-LI2RfXBXynZ3wbFcv9Vl-sso.myacg.org] for service [http://127.0.0.10/users/auth/cas/callback?url=http://127.0.0.10/] for user [052463] 2012-01-16 10:12:26,127 ERROR [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-1-LI2RfXBXynZ3wbFcv9Vl-sso.myacg.org] with service [http://127.0.0.10/users/auth/cas/callback?url=http://127.0.0.10/ does not match supplied service [http://127.0.0.10/users/auth/cas/callback?url=http%3A%2F%2F127.0.0.10%2F]
It does work if there is no url param
Rails.log
Started GET "/users/auth/cas" for 127.0.0.1 at Mon Jan 16 10:27:14 +1300 2012
Started GET "/users/auth/cas/callback?url=&ticket=ST-4-osxtwCW30aIfMf5auBej-sso.myacg.org" for 127.0.0.1 at Mon Jan 16 10:27:15 +1300 2012 Processing by Users::OmniauthCallbacksController#cas as HTML Parameters: {"ticket"=>"ST-4-osxtwCW30aIfMf5auBej-sso.myacg.org", "url"=>""}
Cas.log
2012-01-16 10:27:15,068 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-4-osxtwCW30aIfMf5auBej-sso.myacg.org] for service [http://127.0.0.10/users/auth/cas/callback?url=] for user [052463]
Gems:
devise 1.5.3 omniauth 1.0.1 omniauth-cas 0.0.3