10101010101010001
commented
2 years ago It seems that other third-party libraries (e.g. django-cas-ng, rubycas-client-rails) follow official libraries behavior instead of adhering to protocol specs. I am unable to find any justification why logout requests are sent using POST field and why on earth it is called logoutRequest (it doesn't even mimic SAML, as real SAML logout requests use SAMLRequest POST field).
I've been working with CAS lately and I can tell you that CAS doesn't manage sessions, that's done by the application. So if you logout of CAS but don't logout of the application(s) then you didn't really logout. Even worse when you have several services all requiring login, how do you keep track of which services have been logged into so you can send all of them the logout post request. soulwing/cas-extension also suffers from this issue.
I think it's necessary to patch, I am looking for something that works with several hundreds of webapps all requiring authentication. I'm using container managed security, requires security-constraints with role-names in web.xml.
damisanet
jacekkow
keycloak-protocol-cas transmits SLO requests in request body, which seems to match CAS protocol spec. However, official Apereo CAS client libraries are looking for logout requests in
logoutRequestPOST field...phpCAS: https://github.com/apereo/phpCAS/blob/57fa31cdeaf99225c9c64b12e1cce21997e305e5/source/CAS/Client.php#L1908-L1911 https://github.com/apereo/phpCAS/blob/57fa31cdeaf99225c9c64b12e1cce21997e305e5/source/CAS/Client.php#L1939
java-cas-client: https://github.com/apereo/java-cas-client/blob/0be716e1ac70c596e284bd502d8c34d89d7e58e0/cas-client-core/src/main/java/org/apereo/cas/client/configuration/ConfigurationKeys.java#L43 https://github.com/apereo/java-cas-client/blob/0be716e1ac70c596e284bd502d8c34d89d7e58e0/cas-client-core/src/main/java/org/apereo/cas/client/session/SingleSignOutHandler.java#L300-L304 https://github.com/apereo/java-cas-client/blob/0be716e1ac70c596e284bd502d8c34d89d7e58e0/cas-client-core/src/main/java/org/apereo/cas/client/session/SingleSignOutHandler.java#L221 https://github.com/apereo/java-cas-client/blob/0be716e1ac70c596e284bd502d8c34d89d7e58e0/cas-client-core/src/main/java/org/apereo/cas/client/session/SingleSignOutHandler.java#L226
dotnet-cas-client: https://github.com/apereo/dotnet-cas-client/blob/2677b8d182af40d490644e08d194ce811f3e3795/DotNetCasClient/Utils/RequestEvaluator.cs#L274 https://github.com/apereo/dotnet-cas-client/blob/2677b8d182af40d490644e08d194ce811f3e3795/DotNetCasClient/CasAuthentication.cs#L746
It seems that other third-party libraries (e.g. django-cas-ng, rubycas-client-rails) follow official libraries behavior instead of adhering to protocol specs. I am unable to find any justification why logout requests are sent using POST field and why on earth it is called
logoutRequest(it doesn't even mimic SAML, as real SAML logout requests useSAMLRequestPOST field).Other CAS server implementation had the same problem: https://github.com/jbittel/django-mama-cas/issues/27
While I believe it is stupid of Apereo not to follow their own specs, non-compliant single log-out method became de facto standard and keycloak-protocol-cas should probably also switch to sending logout requests using
logoutRequestPOST field. What do you think?I'm able to provide patch changing plugin behavior to match "official" CAS server implementation.