phpCAS application on an Apache host protected by mod_auth_cas doesn't work

[tdb85]

I'm working on a development server which we currently restrict access to using HTTP Basic authentication and LDAP authentication (AuthType Basic & AuthBasicProvider ldap). I've successfully switched this to AuthType CAS, however mod_auth_cas seems to be stripping out the ticket parameter from the URL so the application can't read it.

The applications we are developing will be located on a production server authenticating themselves to CAS. However in development we do a blanket authentication to restrict access to the whole server, after which the applications currently each have their own HTML login form which I'm trying to migrate to phpCAS.

Current

VirtualHost section, and PHP apps authenticate themselves

<VirtualHost ip:443>
  <Location />
    AuthType Basic
    AuthBasicProvider ldap
    Require ldap-group blah-blah...
  </Location>
  # blah blah 
</VirtualHost>

Desired

Here's what I want, which works from Apache's point of view, but not PHP.

<VirtualHost ip:443>
  <Location />
    AuthType CAS
    Require ldap-group blah-blah...
  </Location>
  # blah blah 
</VirtualHost>


<?php
var_dump($_GET);
phpCAS::client(CAS_VERSION_2_0, "cas.myhost.com", 443, "/cas");
phpCAS::forceAuthentication();

phpCAS successfully redirects to the CAS server, however on direction back it is missing the ticket parameter. As a result I end up in a redirection loop because phpCAS keeps redirecting to CAS, but CAS redirects back because we are already authenticated.

[dhawes]

Yes, mod_auth_cas removes the token parameter so PHP cannot see it:

https://github.com/apereo/mod_auth_cas/blob/master/src/mod_auth_cas.c#L2085

Try removing those lines and see if that gets you where you want to be.

This use case seems to be rare, so I'd need some convincing from others if changing this behavior is worthwhile.

[tdb85]

I'll try and give it a shot. Looking at the source code you've linked it looks like parameter name can't be changed, maybe a workaround would be to change the name of the parameter for phpCAS. Not sure if that's possible from the CAS side however.

I've installed mod_auth_cas via the distribution's repository (CentOS 7, yum install mod_auth_cas) so it may be tricky sadly.

Either way will update and let you know. Thankfully this is likely only a problem for this specific host which worst-case scenario I can just keep on LDAP, others will either use application-only or Apache only, not a mix.

[thijskh]

Can't you pick up the value in the Apache vhost and set it in another parameter or env var that PHP can consume, hence solve it entirely in Apache configuration?

[dhawes]

I didn't want to send you too far down the wrong path, so I tried removing those lines and testing.

Unfortunately, the problem you will likely encounter is that you will get a service mismatch with the CAS server and won't be able to use CAS auth. It's possible to work around this, but it's a bit more work.

The suggestion above to use Apache configuration may be a better path to try.

[dhawes]

I wonder if something like this pull request would help in this case:

#136

[ruckc]

So my organization does something similar to what your trying to do, though we leverage cas attributes to provide role/group information. Below is a snippet from our httpd configs. The downside is that the CAS server has to provide the necessary attributes for you to make your authorization decision off of.

CASAuthNHeader On
Require valid-user
Require cas-attribute role_admin:true

[saviosampaio]

See: #144

[dhawes]

@tdb85 Can you verify if #158 works for your use case?

[dhawes]

CASPreserveTicket from #158 should allow this. Reopen this issue if it doesn't.