NAME

Plack::Auth::SSO::CAS - implementation of Plack::Auth::SSO for CAS

SYNOPSIS

#in your app.psgi

builder {

    mount "/auth/cas" => Plack::Auth::SSO::CAS->new(

        session_key => "auth_sso",
        uri_base => "http://localhost:5000",
        authorization_path => "/auth/cas/callback",
        error_path => "/auth/error"

    )->to_app;

    mount "/auth/cas/callback" => sub {

        my $env = shift;
        my $session = Plack::Session->new($env);
        my $auth_sso = $session->get("auth_sso");

        #not authenticated yet
        unless($auth_sso){

            return [403,["Content-Type" => "text/html"],["forbidden"]];

        }

        #process auth_sso (white list, roles ..)

        [200,["Content-Type" => "text/html"],["logged in!"]];

    };

    mount "/auth/error" => sub {

        my $env = shift;
        my $session = Plack::Session->new($env);
        my $auth_sso_error = $session->get("auth_sso_error");

        unless ( $auth_sso_error ) {

            return [ 302, [ Location => $self->uri_for( "/" ) ], [] ];

        }

        [ 200, [ "Content-Type" => "text/plain" ], [
            "Something went wrong. User could not be authenticated against CAS\n",
            "Please report this error:\n",
            $auth_sso_error->{content}
        ]];

    };

};

DESCRIPTION

This is an implementation of Plack::Auth::SSO to authenticate against a CAS server.

It inherits all configuration options from its parent.

CONFIG

cas_url

base url of the CAS service

ERRORS

Cf. https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#253-error-codes

When a ticket arrives, it is checked against the CAS Server. This can lead to the following situations:

* an error occurs. This means that the CAS server is down, or returned an unexpected response. The error type is "unknown":

{
    package => "Plack::Auth::SSO::CAS",
    package_id => "Plack::Auth::SSO::CAS",
    type => "unknown",
    content => "server could not complete request"
}

* the ticket is rejected by the CAS server. When the authentication code is "TICKET_INVALID" the user is redirected back to the CAS server. In other cases the type equals the authentication code, and content equals the error description.

{
    package => "Plack::Auth::SSO::CAS",
    package_id => "Plack::Auth::SSO::CAS",
    type => "INVALID_SERVICE",
    content => "invalid service"
}

TODO

* add an option to ignore validation of the SSL certificate of the CAS Service? For now you should set the environment like this:

export SSL_VERIFY_NONE=1
export PERL_LWP_SSL_VERIFY_HOSTNAME=0

AUTHOR

Nicolas Franck, <nicolas.franck at ugent.be>

SEE ALSO

Plack::Auth::SSO