akunzai / gss.authentication.cas Goto Github PK

We've build an app like the example "ASP.NET Core app with Single-Sign-Out". But it's running behind a reverse proxy in a subfolder.

The basePath is set like

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UsePathBase("/base");
    app.UsePathBase("/base");
    ...
}

All other parts of the app are working like excepted but after login it should redirect to www.myserver.com/base but does redirect to www.myserver.com/

Hi,

I've following Login method:

    [HttpGet("login")]
    public IActionResult Login(string returnUrl)
    {
        if (User.Identity?.IsAuthenticated == true)
        {
            return Redirect(returnUrl);
        }

        return Challenge(new AuthenticationProperties { RedirectUri = returnUrl }, "CAS");
    }

When I load the react.js page for a first time then after succesfull login to CAS User.Identity?.IsAuthenticated is always false. Next 3 requests to different controller entpoints are causing another calls to login endpoint and finnaly some 500 errors. Sometimes lastcontroller entpoint call is succesful. It seems like controllers calls are made before first login call is finished and HttpContext.User.Identity isnt's yet set.

When I reload the page the Login endpoint isn't called at all and everything works fine.

I'm using GSS.Authentication.CAS.AspNetCore 5.3.3.

I setup CAS service like that:

builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.Events.OnSigningOut = context =>
        {
            var redirectContext = new RedirectContext<CookieAuthenticationOptions>(
                context.HttpContext,
                context.Scheme,
                context.Options,
                context.Properties,
                "/");

            if (builder.Configuration.GetValue("Authentication:CAS:SingleSignOut", false))
            {
                // Single Sign-Out
                var casUrl = new Uri(builder.Configuration["Authentication:CAS:ServerUrlBase"]);
                var links = context.HttpContext.RequestServices.GetRequiredService<LinkGenerator>();
                var serviceUrl = context.Properties.RedirectUri ?? links.GetUriByPage(context.HttpContext, "/");
                redirectContext.RedirectUri = UriHelper.BuildAbsolute(
                    casUrl.Scheme,
                    new HostString(casUrl.Host, casUrl.Port),
                    casUrl.LocalPath, "/logout",
                    QueryString.Create("service", serviceUrl!));
            }

            context.Options.Events.RedirectToLogout(redirectContext);

            return Task.CompletedTask;
        };
        options.Cookie.Name = ".ASPXAUTH_EPROTOCOLS";
    })
    .AddCAS(options =>
    {
        options.CasServerUrlBase = builder.Configuration["Authentication:CAS:ServerUrlBase"];
        // required for CasSingleLogoutMiddleware
        options.SaveTokens = builder.Configuration.GetValue("Authentication:CAS:SaveTokens", false);
        var protocolVersion = builder.Configuration.GetValue("Authentication:CAS:ProtocolVersion", 3);

        if (protocolVersion != 3)
        {
            options.ServiceTicketValidator = protocolVersion switch
            {
                1 => new Cas10ServiceTicketValidator(options),
                2 => new Cas20ServiceTicketValidator(options),
                _ => null
            };
        }

        options.Events.OnCreatingTicket = context =>
        {
            if (context.Identity == null)
            {
                return Task.CompletedTask;
            }

            // Map claims from assertion
            var assertion = context.Assertion;

            context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, assertion.PrincipalName));
            context.Identity.AddClaim(new Claim(ClaimTypes.Name, assertion.PrincipalName));

            if (assertion.Attributes.TryGetValue("display_name", out var displayName))
            {
                context.Identity.AddClaim(new Claim(ClaimTypes.Name, displayName!));
            }

            if (assertion.Attributes.TryGetValue("email", out var email))
            {
                context.Identity.AddClaim(new Claim(ClaimTypes.Email, email!));
            }

            return Task.CompletedTask;
        };
    });

Anyone can help?

Is your feature request related to a problem? Please describe.
GSS.Authentication.CAS.RuntimeCache can be replaced by GSS.Authentication.CAS.DistributedCache with Microsoft.Extensions.Caching.Memory.

Describe the solution you'd like
we should maintain and support GSS.Authentication.CAS.DistributedCache only. and deprecating GSS.Authentication.CAS.RuntimeCache.

Describe alternatives you've considered
keep GSS.Authentication.CAS.RuntimeCache on NuGet Gallery

Additional context
N/A

Assertion Attribute value is StringValues, get stored json from cache is ok, but when deserialize is missing,can you replace string insted?

Hello,
I would like to ask how can we skip the middle page which displays the
"Register
Associate your CAS account." message

I use .net core 7

thank you

Hello

I read that I have to ensure that https should be configure so the log in from CAS to be enable.
Now I have another issue...

I get

An unhandled exception occurred while processing the request.
XmlException: '=' is an unexpected token. The expected token is ';'. Line 32, position 91.

How can implement your library with the next scenario.
Angular 6 app.
Net Core 2.1 web api sln.

I can assume that the angular app will do the auth against CAS.
Does the Angular should add something to the header in the requests?

I got this working with my web api, using a browser as a client, but for example If I use postman I don't get results, maybe because I'm being redirected to CAS login page. And the same will happen with the Angular app as the client.

Thanks

What in ticket validation determines whether the assertion PrincipalName is encrypted or not. Different behavior on different machines where on one the PrincipalName is clear while on other machines the PrincipalName is encrypted.

I am using CAS as the authentication schema without identity and once a user is authorized and the cookie is created. The user tries to access unauthorized area instead of redirecting the user to unauthorized page it's redirecting to log-In page with the ticket in the URL.

Ie
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.0

Hello,

I have an IdentityServer 4 application that must support multiple CAS configurations.
In order to do that, I iterate through my cas configuration and add a builder for each one of them:

public static AuthenticationBuilder AddCasAuth(this AuthenticationBuilder builder, CasSetting casSetting)
{
   // Scheme must be the company identifier
   builder.AddCAS(casSetting.Scheme, casSetting.DisplayName, options =>
   {
      options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
      options.ServiceTicketValidator = new Cas20ServiceTicketValidator(options);
      options.CasServerUrlBase = casSetting.BaseUrl;
      // required for Cas SingleLogout
      options.SaveTokens = true;

      options.Events = new CasEvents
      {
         OnCreatingTicket = context =>
         {
            // ... Handle the recieved claims ...
            return Task.CompletedTask;
         },
         OnRemoteFailure = context =>
         {
            // ... Handle the errors ... 
            return Task.CompletedTask;
         }
      };
   });

   return builder;
}

It works fine for the first element of my collection, but for the ones after, I have the following error after logging in the CAS server: State invalid or missing.
When I look at the context in the OnRemoteFailure, I find the configuration of the first element of my collection but the CAS login page matches the right element of the collection.

For example:

"CasSettings": [
   {
      "Scheme": "Scheme 1",
      "DisplayName": "First CAS",
      "BaseUrl": "https://domain1/cas"
   },
   {
      "Scheme": "Scheme 2",
      "DisplayName": "Second CAS",
      "BaseUrl": "https://domain2/cas"
   }
]

If I try to log in with Scheme 2, I land on the login page on https://domain2/cas, when I validate the form, I am redirected to my error page and the context of OnRemoteFailure has the Scheme 1 configuration. (hence the invalid state)

Is it supposed to be supported? Am I missing something here?

Thank you

I'm new to Core 2, and I'm trying to setup CAS along with Microsoft's out-of-the-box Identity login because we need both at my institution. When I try to login to my CAS server, I get this error message:

Hello,

since your last modifications (thank you for them, by the way) I cannot install the 2.1.0 version of GSS.Authentication.CAS.Owin, because it seeks a version of GSS.Authentication.CAS.Core superior to 2.0.1 (which doesn't exists).

Best regards.

Using GSS.Authentication 5.3.3

Describe the bug
On occasion, the /signin-cas endpoint gets hit and throws an exception.

[09:04:12 DBG] 0HN0JI1URRJHK:00000004 The request path /signin-cas does not match a supported file type
[09:04:12 INF] 0HN0JI1URRJHK:00000004 Error from RemoteAuthentication: Missing CAS ticket..
[09:04:13 ERR] 0HN0JI1URRJHK:00000004 An error was encountered while handling the remote login.
System.Exception: An error was encountered while handling the remote login.
 ---> System.Exception: Missing CAS ticket.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

I'm not sure what would cause this, as I believe the cas server is redirecting back to this app when this happens. Ultimately I'd like to find a way to intercept and redirect back to login or somethign when I encounter this error.

The vast majority of time, this library works perfectly and I never run into problems... so again... not exactly sure what I'm doing wrong, or if it could indicate a problem with the cas server or something else.

Any pointers here would be greatly appreciated.

See .NET Core Remote Code Execution Vulnerability

Hello,

I'm using this api in order to use the cas authentication. All works fine except the HTTP Post request.
Indeed, when i'm making a post request, I always have this error :

Is this a bug ?

Thanks per advance.

Hello,

I have an .net core 6 app and when I try to login through CAS I get the following message

Exception: Correlation failed.
Unknown location

Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()

Any idea?
Thank you

When this method is executed “HttpContext.ChallengeAsync();“

An unhandled exception occurred while processing the request.
Exception: There was a problem validating ticket.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext()

Please help me, thanks

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• chore(deps): update dotnet monorepo to v8 (major) (Microsoft.AspNetCore.WebUtilities, Microsoft.Extensions.Caching.Abstractions, Microsoft.Extensions.Caching.Memory, Microsoft.Extensions.Options, Microsoft.Extensions.Primitives, System.Text.Encodings.Web, System.Text.Json)

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

I have a ASP.NET Web API project using OWIN authentication. We do not always set the ContentType when doing post. It looks like there is a check on line 34 that breaks when ContentType is null.

Hello,
Would you consider signing the assemblies in order to give them a strong name ?

Microsoft published an article about signing open-source assemblies: https://docs.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming

Thanks

See Microsoft OWIN 4.1.1 Release Notes

when site provide json request, client send content-type=application/json, the middleware will cause a error, it need futher judge
if (context.Request.Method.Equals(HttpMethod.Post.Method, StringComparison.OrdinalIgnoreCase) && context.Request.ContentType.Equals("application/x-www-form-urlencoded", StringComparison.InvariantCulture))

and futher more, when app is cluster the function may not working, I provider a function to return a ip and point list to return the all nodes, exclude the localnode, I also send the message to other node,
`namespace Cas.Authentication.AspNetCore
{
public class SingleSignOutOptions
{
public SingleSignOutOptions()
{
LoginPath = new PathString("/cas-login");
LogoutPath = new PathString("/cas-logout");
}

    public string CasBaseUrl { get; set; }
    public PathString LoginPath { get; set; }

    public PathString LogoutPath { get; set; }

    public IClusterNodeDiscover NodeDiscover { get; set; }
}

}

public interface IClusterNodeDiscover
{
IList GetAllNodes();
}`

it may read nodes from consul or zk

in this middleware I also provider the signin and signout endpoint
else if(context.Request.Path.StartsWithSegments(_signOutOptions.LoginPath)) { await context.ChallengeAsync(CasDefaults.AuthenticationType, new AuthenticationProperties { RedirectUri = context.Request.Query["ReturnUrl"] }); return; } else if(context.Request.Path.StartsWithSegments(_signOutOptions.LogoutPath)) { await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); context.Response.Redirect($"{_signOutOptions.CasBaseUrl}/logout?service={Uri.EscapeDataString(context.Request.Scheme + "://" + context.Request.Host)}"); return; }

for session store, I provider a simple wapper to support IDistributedCache and IMemoryCache, any implement can use, did not need to reference an dll
.AddCas(new MemoryCache(Options.Create(new MemoryCacheOptions())), null,...;

Does the software support CAS protocol 3.0?

先登录A站点，再登录B站点，退出A站点，B站点未退出
First login A site, then log on to B site, exit A site, B site did not quit.