Apereo CAS - Passwordless Authentication


Collaborate
This blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

Overview

Passwordless authentication in CAS allows users to login without having to type in a password. Instead, passwords take the form of tokens that expire after a configurable period and are shared with users using communication methods such as email or SMS. Using this strategy, users are simply asked for an identifier (i.e. username) which is used to locate the user record that contains forms of contact such as email and phone number.

This is a short tutorial on how to set up CAS to use Passwordless Authentication to avoid the insecure practice of using a shared password for different services and improve user experience, especially for mobile devices and applications.

Our starting position is based on:

Configuration

Once you have decorated the CAS WAR Overlay with the proper extension module, you will need to adjust your CAS configuration (i.e. cas.properties file) to tune the feature for the following:

User Accounts

How should user records and contact information be found, given an identifier?

To keep things simple for this tutorial, we are going to use a static map of usernames that are linked to their methods of contact, such as email or phone number. The key in the map is taken to be the username eligible for authentication while the value can either be an email address or phone number that would be used to contact the user with issued tokens.

cas.authn.passwordless.accounts.simple.casuser=casuser@somewhere.org

Token Security

Tokens generated by CAS and shared with users are signed and encrypted. We can instruct CAS to use specific crypto keys for this purpose.

cas.authn.passwordless.tokens.crypto.encryption.key=bezKhHW...
cas.authn.passwordless.tokens.crypto.signing.key=KNV8PAClVycu...

If you skip this step, CAS will automatically generate at startup and will issue warnings in the logs for you.

We can also adjust the expiration time of generated tokens:

cas.authn.passwordless.tokens.expireInSeconds=30

Communication Strategy

To keep things simple, we will configure CAS to share tokens with users via email. How do we configure email settings such as message body, from, subject and the server settings?

cas.authn.passwordless.tokens.mail.from=cas-server@somewhere.org
cas.authn.passwordless.tokens.mail.text=Your CAS Passwordless token is <strong>%s</strong>.
cas.authn.passwordless.tokens.mail.subject=Your CAS Passwordless Token
cas.authn.passwordless.tokens.mail.html=true

We will also instruct CAS (and Spring Boot underneath) to use a dummy email server, running on localhost:

spring.mail.host=localhost
spring.mail.port=25000
# spring.mail.testConnection=true

Thou Shall Test

Once you attempt to access a CAS-protected application and assuming the application is properly registered with CAS, you’d be redirected to the CAS login screen as such:

image

casuser is the only entry in our simple account store that is set up for passwordless authentication. Once casuser logs in, CAS will ask for the shared token that is now shared with the user via an email message:

image

The email message from CAS will arrive in the user’s inbox with the token:

image

Assuming the token is still valid, CAS will ask and accept the token from the user and will proceed normally to route the flow to the requested application.

Pretty simple, eh?

So…

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please know that all other use cases, scenarios, features, and theories certainly are possible as well. Feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed

Related Posts

CAS 6.1.0 RC5 Feature Release

...in which I present an overview of CAS 6.1.0 RC5 release.

Apereo CAS - Handling Authentication Webflow Errors with Grace

Learn how to modify Apereo CAS to customize exception handling and produce localized error messages for your deployment.

Apereo CAS - Are We Logged In Yet?

Learn how to modify and extend a CAS deployment to determine whether an SSO session is still valid and tied to a user authentication session.

Apereo CAS - REST API Integrations

Learn how to integrate with CAS using its REST API to authenticate, exchange tickets and get access to user profiles and attributes.

CAS 6.1.0 RC4 Feature Release

...in which I present an overview of CAS 6.1.0 RC4 release.

Apereo CAS - Multifactor Provider Selection

Learn how to configure CAS to integrate with and use multiple multifactor providers at the same time. This post also reveals a few super secret and yet open-source strategies one may use to select appropriate providers for authentication attempts, whether automatically or based on a menu.

Apereo CAS - Dockerized Hazelcast Deployments

Learn how to run CAS backed by a Hazelcast cluster in Docker containers and take advantage of the Hazelcast management center to monitor and observer cluster members.

Apereo CAS - Configuration Security w/ Jasypt

Learn how to secure CAS configuration settings and properties with Jasypt.

CAS 6.1.0 RC3 Feature Release

...in which I present an overview of CAS 6.1.0 RC3 release.

Apereo CAS - Webflow Decorations

Learn how you may decorate the Apereo CAS login webflow to inject data pieces and objects into the processing engine for display purposes, peace on earth and prosperity of all mankind, etc. Mainly, etc.