Apereo CAS - Passwordless Authentication


Collaborate
This blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

Overview

Passwordless authentication in CAS allows users to login without having to type in a password. Instead, passwords take the form of tokens that expire after a configurable period and are shared with users using communication methods such as email or SMS. Using this strategy, users are simply asked for an identifier (i.e. username) which is used to locate the user record that contains forms of contact such as email and phone number.

This is a short tutorial on how to set up CAS to use Passwordless Authentication to avoid the insecure practice of using a shared password for different services and improve user experience, especially for mobile devices and applications.

Our starting position is based on:

Configuration

Once you have decorated the CAS WAR Overlay with the proper extension module, you will need to adjust your CAS configuration (i.e. cas.properties file) to tune the feature for the following:

User Accounts

How should user records and contact information be found, given an identifier?

To keep things simple for this tutorial, we are going to use a static map of usernames that are linked to their methods of contact, such as email or phone number. The key in the map is taken to be the username eligible for authentication while the value can either be an email address or phone number that would be used to contact the user with issued tokens.

cas.authn.passwordless.accounts.simple.casuser=casuser@somewhere.org

Token Security

Tokens generated by CAS and shared with users are signed and encrypted. We can instruct CAS to use specific crypto keys for this purpose.

cas.authn.passwordless.tokens.crypto.encryption.key=bezKhHW...
cas.authn.passwordless.tokens.crypto.signing.key=KNV8PAClVycu...

If you skip this step, CAS will automatically generate at startup and will issue warnings in the logs for you.

We can also adjust the expiration time of generated tokens:

cas.authn.passwordless.tokens.expireInSeconds=30

Communication Strategy

To keep things simple, we will configure CAS to share tokens with users via email. How do we configure email settings such as message body, from, subject and the server settings?

cas.authn.passwordless.tokens.mail.from=cas-server@somewhere.org
cas.authn.passwordless.tokens.mail.text=Your CAS Passwordless token is <strong>%s</strong>.
cas.authn.passwordless.tokens.mail.subject=Your CAS Passwordless Token
cas.authn.passwordless.tokens.mail.html=true

We will also instruct CAS (and Spring Boot underneath) to use a dummy email server, running on localhost:

spring.mail.host=localhost
spring.mail.port=25000
# spring.mail.testConnection=true

Thou Shall Test

Once you attempt to access a CAS-protected application and assuming the application is properly registered with CAS, you’d be redirected to the CAS login screen as such:

image

casuser is the only entry in our simple account store that is set up for passwordless authentication. Once casuser logs in, CAS will ask for the shared token that is now shared with the user via an email message:

image

The email message from CAS will arrive in the user’s inbox with the token:

image

Assuming the token is still valid, CAS will ask and accept the token from the user and will proceed normally to route the flow to the requested application.

Pretty simple, eh?

So…

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please know that all other use cases, scenarios, features, and theories certainly are possible as well. Feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed

Related Posts

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Multifactor Authentication with U2F and Bypass

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using U2F and default bypass rule.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Release Notes Moved

CAS Release Notes are moved to the CAS site.

CAS 6.2.0 RC5 Feature Release

...in which I present an overview of CAS 6.2.0 RC5 release.

CAS 6.2.0 RC4 Feature Release

...in which I present an overview of CAS 6.2.0 RC4 release.

CAS 6.2.0 RC3 Feature Release

...in which I present an overview of CAS 6.2.0 RC3 release.

Apereo CAS - Bootiful CAS Client

Easy to use CAS Client

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Checking Out Pull Requests Locally

Check out GitHub pull requests as local branches using a simple bash function.