Research CAS authentication

[johndpjr]

Context

Our users need a personalized and secure experience, so adding authentication is essential so that users can track internships and users' data is protected. The Central Authentication System (CAS) is a proprietary solution that TAMU provides for students to login and access their data. All what CAS is is a Microsoft Azure Active Directory that tracks users. We will use the same thing for our authentication that way students can login via CAS.

TODO

• [x] Look into the CAS documentation
• [x] Reply to this ticket with a short summary of what we need to do to implement CAS into AgTern and whether CAS is suitable for our needs (i.e. should we use another authentication protocol like OAuth 2.0, etc?)

Notes

[JeremyEastham]

From the CAS Documentation:

Registering Applications CAS utilizes a service registry. Your application must be registered with CAS or CAS will not respond to any requests made by the application.

Warning CAS authentication is considered a legacy protocol and should not be used for new production systems & services. If your system is constrained and can only support CAS (and not OIDC or SAML), reach out to identity@tamu.edu for assistance.

To register your application, send an email with the following information to identity@tamu.edu:

Protocol: https is required.
Application URL
Application Type: Production or Development
Technical contact name and email address (The technical contact must be an active staff employee of Texas A&M.)

It appears that we need a staff contact (sponsor?) and an HTTPS certificate set up. This also requires the registration of a domain name, since HTTPS certificates are not given to plain IP addresses.

Other TAMU NetID Authorization Protocol Options:

• Azure Active Directory (OpenID Connect or SAML)
• Shibboleth (SAML2)

Further research is needed to determine whether any of these protocols are worth implementing. In my opinion, this would not add much value to our project. We would be better off integrating a well-known provider such as Google or Discord. I have set up Discord apps before, it is not very complicated. Here is a guide to setting up a Login with Discord integration (Discord calls them "apps"), which uses OAuth2. Here is a library that automates most of the authentication code with Discord. Similar libraries exist for other providers. It might be worth browsing the code to see how the OAuth2 flow works.

[johndpjr]

CAS seems like a mess and is not scalable to users outside of Texas A&M. We will be using OAuth 2.0 protocol instead. We could use Google or Microsoft OAuth (or both). Thanks @JeremyEastham for the in-depth research!

[JeremyEastham]

You're welcome!