NAME
Plack::Auth::SSO::CAS - implementation of Plack::Auth::SSO for CAS
SYNOPSIS
#in your app.psgi
builder {
mount "/auth/cas" => Plack::Auth::SSO::CAS->new(
session_key => "auth_sso",
uri_base => "http://localhost:5000",
authorization_path => "/auth/cas/callback",
error_path => "/auth/error"
)->to_app;
mount "/auth/cas/callback" => sub {
my $env = shift;
my $session = Plack::Session->new($env);
my $auth_sso = $session->get("auth_sso");
#not authenticated yet
unless($auth_sso){
return [403,["Content-Type" => "text/html"],["forbidden"]];
}
#process auth_sso (white list, roles ..)
[200,["Content-Type" => "text/html"],["logged in!"]];
};
mount "/auth/error" => sub {
my $env = shift;
my $session = Plack::Session->new($env);
my $auth_sso_error = $session->get("auth_sso_error");
unless ( $auth_sso_error ) {
return [ 302, [ Location => $self->uri_for( "/" ) ], [] ];
}
[ 200, [ "Content-Type" => "text/plain" ], [
"Something went wrong. User could not be authenticated against CAS\n",
"Please report this error:\n",
$auth_sso_error->{content}
]];
};
};
DESCRIPTION
This is an implementation of Plack::Auth::SSO to authenticate against a CAS server.
It inherits all configuration options from its parent.
CONFIG
- cas_url
-
base url of the CAS service
ERRORS
Cf. https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#253-error-codes
When a ticket arrives, it is checked against the CAS Server. This can lead to the following situations:
* an error occurs. This means that the CAS server is down, or returned an unexpected response. The error type is "unknown":
{
package => "Plack::Auth::SSO::CAS",
package_id => "Plack::Auth::SSO::CAS",
type => "unknown",
content => "server could not complete request"
}
* the ticket is rejected by the CAS server. When the authentication code is "TICKET_INVALID" the user is redirected back to the CAS server. In other cases the type equals the authentication code, and content equals the error description.
{
package => "Plack::Auth::SSO::CAS",
package_id => "Plack::Auth::SSO::CAS",
type => "INVALID_SERVICE",
content => "invalid service"
}
TODO
* add an option to ignore validation of the SSL certificate of the CAS Service? For now you should set the environment like this:
export SSL_VERIFY_NONE=1
export PERL_LWP_SSL_VERIFY_HOSTNAME=0
AUTHOR
Nicolas Franck, <nicolas.franck at ugent.be>