OpenID Connect Authentication

Allow CAS to act as an OpenId Connect Provider (OP).

Remember

OpenId Connect is a continuation of the OAuth protocol with some additional variations. If you enable OpenId Connect, you will have automatically enabled OAuth as well. Options and behaviors that are documented for the OAuth protocol support may apply here just the same.

Support is enabled by including the following dependency in the WAR overlay:

1
2
3
4
5
<dependency>
  <groupId>org.apereo.cas</groupId>
  <artifactId>cas-server-support-oidc</artifactId>
  <version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-oidc:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
  imports {
    mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
  }
}

dependencies {  
  implementation "org.apereo.cas:cas-server-support-oidc"
}

To learn more about OpenId Connect, please review this guide.

The current implementation provides support for:

Endpoints

Field Description
/oidc/.well-known The discovery endpoint used to query for CAS OIDC configuration information and metadata.
/oidc/.well-known/openid-configuration Same as .well-known discovery endpoint.
/oidc/.well-known/webfinger WebFinger discovery endpoint
/oidc/jwks Contains the server’s public signing keys, which clients may use to verify the digital signatures of access tokens and ID tokens issued by CAS.
/oidc/authorize Authorization requests are handled here.
/oidc/profile User profile requests are handled here.
/oidc/logout Logout requests are handled here.
/oidc/introspect Query CAS to detect the status of a given access token via introspection. This endpoint expects HTTP basic authentication with OIDC service client_id and client_secret associated as username and password.
/oidc/accessToken, /oidc/token Produces authorized access tokens.
/oidc/revoke Revoke access or refresh tokens. This endpoint expects HTTP basic authentication with OIDC service client_id and client_secret associated as username and password.
/oidc/register Register clients via the dynamic client registration protocol.
Use Discovery

The above endpoints are not strictly defined in the OpenID Connect specification. The CAS software may choose to change URL endpoints at any point in time. Do NOT hardcode these endpoints in your application configuration. Instead, use the Dynamic Discovery endpoint and parse the discovery document to discover the endpoints.

Configuration

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

  • cas.authn.oidc.core.issuer=http://localhost:8080/cas/oidc
  • OIDC issuer.

    org.apereo.cas.configuration.model.support.oidc.OidcCoreProperties.

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value.