kevinoconnor7 / osTicket-auth-cas

JASIG CAS Authentication plugin for osTicket
GNU General Public License v2.0
13 stars 8 forks source link

support for SLO requests #24

Closed bpalme closed 4 years ago

bpalme commented 4 years ago

Hi Kevin, I was working on a PR to support SLO requests. That is: when a user logs out of the CAS server not through osTicket, but some other way, the CAS server should send a logout request to osTicket requesting a logout for the user. The request that comes in is a POST request. We should be able call handleLogoutRequests on the cas client. However, what i'm seeing is the POST request doesn't call anything in the plugin. Only GET requests to api/auth/ext do I see any functions being called in the auth plugin.

Have you looked at this at or do you remember working on it? I realize that this might be a big ask since you don't really use this anymore and that it's really more of an osTicket question I guess. I thought you might have some idea about it.

Brent

kevinoconnor7 commented 4 years ago

Unfortunately I haven't looked into this previously, and like you mentioned, since I don't use this in any production environment anymore it's unlikely that I'd take on the work to implement this. At this point I'm mostly just keeping the lights on for users with the existing feature set. That being said, I'd happily review any pull requests!

As for the issues with the api/auth/ext endpoint: yeah it's wonky. It's convoluted to figure out how the endpoint gets routed internally, but you're actually ending up here for staff and here for users. Based on the surrounding code, POST is explicitly not tolerated. Furthermore, the only thing this endpoint can do is call triggerAuth() on auth extensions.

I think to implement this you'd need to modify base osTicket to have something like api/auth/ext_slo. That being said though, the current structure is assuming clients (whom are directly are trying to sign in) are hitting that endpoint, not random server requests so it may take a bit of tweaking to make that work correctly. The other problem is that I don't actually store the CAS session ID anywhere, but that's fixable within the plugin itself.

I would also say that my prior experience with modifying core osTicket hasn't been great. For anything but small/obvious fixes, they've generally sat on pull requests for months/indefinitely.

bpalme commented 4 years ago

Ok. Thanks for that reply. That is sort of what I was looking for. I have been still working on this off and on. I think this is a pretty low priority. If the server supports it, you can set up a service definition with the logout link defined. That would be the easiest solution and the one that I should have done. But now that I've tried to figure this out, I'm having trouble letting it go.

Yes I've noticed the same thing about core osTicket. Also the plugin system isn't very easy to get into either. Brent

bpalme commented 4 years ago

Ok I'm giving up on this and moving on. I don't think it's worth the effort. you can close this one if you like.