rbCAS / CASino

CASino is a Ruby-based Single Sign-On solution supporting the CAS standard
MIT License
331 stars 189 forks source link

Any plans for OpenID/OAuth support? #32

Closed rmckayfleming closed 10 years ago

rmckayfleming commented 10 years ago

I've noticed that Jasig CAS has support for third-party protocols, any plans to bring that to CASino in the near future?

pencil commented 10 years ago

What do you mean exactly? Should CASino act as OpenID/OAuth server or should it support authentication using a OpenID/OAuth source?

rmckayfleming commented 10 years ago

Authentication using an OpenID/OAuth source. Great project by the way. :)

Take a look at this: https://wiki.jasig.org/display/CASUM/Configuration+for+the+OAuth+client+support+in+CAS+server+version+%3E%3D+3.5.1

pencil commented 10 years ago

Just out of curiosity, what would be the use case for this? Why wouldn't you directly add support for OpenID or OAuth to the client applications?

kassi commented 10 years ago

I'm also investigating this gem and it looks to me like the missing feature. Why? Simply explained: If I want to build a login app using CASino, I want all my other apps to authenticate using this login-app, so sign in once, signed in on all apps. I can then choose to either sign up and sign in here or choose to sign in using one of the oauth providers like FB, G+ and so on. This should sign me in to all of my apps as well. So single sign on aka login app should implement oauth(2).

If I were to implement oauth client to any app it's not only dup code but would also lose SSO, right?

kassi commented 10 years ago

However, now I wonder if it would be the correct way to

Is it somehow compatible? Is there a way to use username or email to login? Is there a devise authenticator?

pencil commented 10 years ago

Ok, understand the use case for this now.

@kassi I'm not quite sure I understand the setup you are planning to do.

add devise + omniauth to login-app (in addition to casino)

There is ominauth-cas which is compatible with CASino.

configure casino to use devise's user table with ActiveRecord authenticator

Devise defaults to BCrypt for the password encryption and should therefore be compatible with our ActiveRecord authenticator.

use devise's sign up page and casinos sign in page.

As CASino does not feature user management out of the box, it is pretty standard to handle sign-up in an external application.

Is there a way to use username or email to login?

No, as you can only specify one username_column.

Is there a devise authenticator?

Just found device_cas_authenticable which should be compatible.

kassi commented 10 years ago

Thanks for the reply. I think there's still a misunderstanding since omniauth-cas as well as devise_cas_authenticable seem to be gems you add to some app which will use another app (cas server) for auth.

My aim is to have one app designed to manage users, sign up and sign in (also via external oauth services), and have several other apps only use this one app as central single sign on point without having to implement several services and user model again and again.

pencil commented 10 years ago

CASino is a Rails engine and can therefore by used in any existing Rails app providing sign-up etc. I know that @dlindahl built something similar.

To add support for login through OAuth, writing a CASino authenticator would be the right approach. CASino uses it's own technics to track logged in users and is not compatible with how omniauth or devise does this.

booch commented 10 years ago

I'm interested in this support as well, to allow users to choose whether to use Google, Facebook, Twitter, or GitHub accounts, or create a local account.

dbackeus commented 10 years ago

@pencil how would one go about writing a strategy supporting Oauth?

The API for CASinos authentication is a username and password getting POSTed to the login route. Then the strategy eventually validates the username and password.

In the case of OAuth we arrive back from the OAuth provider via a GET request and have various tokens to keep track of. But not exactly a username or password.

Not sure how that fits into the current CASinoApp flow. Is it possible to fit this to the current implementation of the engine or would additional functionality / rewriting be required?

pencil commented 10 years ago

No, it does not fit into the current CASino workflow. The best way would probably be to start off with an "external authenticator" abstraction. Then display a button for all external authenticators at the login page.

As this issue is currently not in our focus, I'll close it for now. I'd gladly look into a pull request though. Feel free to contribute :wink: