Not getting additional attributes

[mpmeyer]

I have an existing enterprise CAS server that I am trying to integrate with hapi-cas.

I am getting the following response from the CAS server:

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
  <cas:user>myusername</cas:user>
  <user_id>123</user_id>
  <user_uuid>xxxx-xxxx-xxxx-xxxx</user_uuid>
  <user_email>myusername@company.com</user_email>
  <timeout>1800</timeout>
</cas:authenticationSuccess>
</cas:serviceResponse>

I see in plugins.js, cas.validateServiceTicket() that the result is:

{ user: 'myusername',
  user_id: '123',
  user_uuid: 'xxxx-xxxx-xxxx-xxxx',
  user_email: 'myusername@company.com',
  timeout: '1800' }

The values being stored into the session are only: user and attributes:

session:  { isAuthenticated: true, username: 'myusername', attributes: {} }

I am unable to access the extra values supplied by my CAS server, could the full result be provided on another attribute of the session?

EX.
request.session.cas = result;

[jsumners]

Are you hitting /validate or /p3/validate?

I see the problem. Your remote CAS server is returning the extra attributes as elements like user_uuid. The spec dictates that extra attributes be children of a cas:attributes element. Also, the attributes should be in cas:your_attribute_name elements.

https://github.com/Jasig/cas/blob/master/cas-server-documentation/protocol/CAS-Protocol-Specification.md#appendix-a-cas-response-xml-schema

[mpmeyer]

I have the cas option set: casProtocolVersion: 2.0

and in the debug I see:

  hapi-cas:main Credentials: {} +5s
  hapi-cas:main Redirecting auth to: https://login.company.net/login?service=http%3A%2F%2F127.0.0.1%3A8080%2FcasHandler +0ms
  simple-cas-interface:validateST validate url: https://login.company.net/serviceValidate +2s
  simple-cas-interface:validateST validate qs: {"ticket":"ST-1462128112rF36A85D0DA50F4D9EC","service":"http://127.0.0.1:8080/casHandler"} +0ms

[mpmeyer]

following in debug:

  simple-cas-interface:protocol2 parsing xml +438ms
  simple-cas-interface:xmlparser processing parsed xml +7ms
  simple-cas-interface:xmlparser Received good validation from CAS server +0ms
  hapi-cas:main Service ticket validated: +3ms
  hapi-cas:main {"user":"username","user_id":"123","user_uuid":"xxx-xxx-xxx-xxx-xxx","user_email":"username@company.com","timeout":"1800","activityTracker:updateIntervalSeconds":"900"} +0ms
  hapi-cas:main Credentials: {"username":"username","attributes":{}} +17ms

[jsumners]

Yes, the data is coming back. But the data does not conform to the specification. Also, version 2 of the protocol does not support the extra attributes feature; that was a common hack in the reference server v3, but was not official. It became part of the protocol in protocol version 3.

hapi-cas, and the module providing the actual CAS communication, simple-cas-interface, strictly adhere to the protocol specification. So if you have configured hapi-cas to use protocol v2 then it will never parse the extra attributes -- the code just isn't there. In order for extra attributes to be parsed you must configure hapi-cas to communicate using version 3 of the protocol.

But, in this case, if you were to configure hapi-cas to use protocol version 3 then you still wouldn't get your extra attributes added to the session. That is because the remote server is not following the protocol specification.

[jsumners]

Does this answer your question?

[mpmeyer]

Yes, thank you. I will have to try to see if our enterprise team can support CAS 3.0.

[jsumners]

Then I shall close this issue.

BTW, I'm at least willing to consider pull requests that would solve your issue. Maybe some sort of "compatibility" mode for non-conformant servers. But that could be an infinite variety of options.