Client Registration - OAuth Authentication
Every OAuth relying party must be defined as a CAS service:
1
2
3
4
5
6
7
8
9
10
{
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "clientid",
"clientSecret": "clientSecret",
"serviceId" : "^(https|imaps)://<redirect-uri>.*",
"name" : "OAuthService",
"id" : 100,
"supportedGrantTypes": [ "java.util.HashSet", [ "...", "..." ] ],
"supportedResponseTypes": [ "java.util.HashSet", [ "...", "..." ] ]
}
The following fields are supported:
Field | Description |
---|---|
clientId |
The client identifier for the application/service. |
clientSecret |
The client secret for the application/service. The client secret received from the service will be URL decoded before being compared to the secret in the CAS service definition. |
userProfileViewType |
Formatting options for the user profiles; Default is undefined. Options are NESTED , FLAT . |
supportedGrantTypes |
Collection of supported grant types for this service. |
supportedResponseTypes |
Collection of supported response types for this service. |
bypassApprovalPrompt |
Whether approval prompt/consent screen should be bypassed. Default is false . |
generateRefreshToken |
Whether a refresh token should be generated along with the access token. Default is false . |
renewRefreshToken |
Whether the existing refresh token should be expired and a new one generated (and sent along) whenever a new access token is requested (with grant_type = refresh_token ). Only possible if generateRefreshToken is set to true . Default is false . |
jwtAccessToken |
Whether access tokens should be created as JWTs. Default is false . |
serviceId |
The pattern that authorizes the redirect URI(s), or same as clientId in case redirect_uri is not required by the grant type (i.e client_credentials , etc). |
You are encouraged to only keep and maintain properties and settings needed for a particular integration. It is UNNECESSARY to grab a copy of all service fields and try to configure them yet again based on their default. While you may wish to keep a copy as a reference, this strategy would ultimately lead to poor upgrades increasing chances of breaking changes and a messy deployment at that.
Service definitions are typically managed by the service management facility.
CAS today does not strictly enforce the collection of authorized supported response/grant types for backward compatibility reasons. This means that if left undefined, all grant and response types may be allowed by the service definition and related policies. Do please note that this behavior is subject to change in future releases and thus, it is strongly recommended that all authorized grant/response types for each profile be declared in the service definition immediately to avoid surprises in the future.
Encryptable Client Secrets
Client secrets for OAuth relying parties may be defined as encrypted values prefixed with {cas-cipher}
:
1
2
3
4
5
6
7
8
{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "clientid",
"clientSecret": "{cas-cipher}eyJhbGciOiJIUzUxMiIs...",
"serviceId" : "^(https|imaps)://<redirect-uri>.*",
"name": "Sample",
"id": 100
}
Client secrets may be encrypted using CAS-provided cipher operations either manually or via the CAS Command-line shell.
The following settings and properties are available from the CAS configuration catalog:
cas.authn.oauth.access-token.crypto.encryption.key=
The encryption key is a JWT whose length is defined by the encryption key size setting.
|
cas.authn.oauth.access-token.crypto.signing.key=
The signing key is a JWT whose length is defined by the signing key size setting.
|
cas.authn.oauth.crypto.encryption.key=
The encryption key is a JWT whose length is defined by the encryption key size setting.
|
cas.authn.oauth.crypto.signing.key=
The signing key is a JWT whose length is defined by the signing key size setting.
|
cas.authn.oauth.uma.requesting-party-token.jwks-file.location=
The location of the resource. Resources can be URLS, or files found either on the classpath or outside somewhere in the file system. In the event the configured resource is a Groovy script, specially if the script set to reload on changes, you may need to adjust the total number ofinotify instances. On Linux, you may need to add the following line to /etc/sysctl.conf : fs.inotify.max_user_instances = 256 . You can check the current value via cat /proc/sys/fs/inotify/max_user_instances .
|
cas.authn.oauth.uma.core.issuer=http://localhost:8080/cas
UMA issuer.
|
cas.authn.oauth.uma.resource-set.jpa.driver-class=org.hsqldb.jdbcDriver
The JDBC driver used to connect to the database.
|
cas.authn.oauth.uma.resource-set.jpa.password=
The database connection password.
|
cas.authn.oauth.uma.resource-set.jpa.url=jdbc:hsqldb:mem:cas-hsql-database
The database connection URL. This setting supports the Spring Expression Language.
|
cas.authn.oauth.uma.resource-set.jpa.user=sa
The database user. The database user must have sufficient permissions to be able to handle schema changes and updates, when needed.
|
cas.authn.oauth.session-replication.replicate-sessions=true
Indicates whether profiles and other session data, collected as part of authentication flows and protocol requests that are kept by the container session, should be replicated across the cluster using CAS and its own ticket registry. Without this option, profile data and other related pieces of information should be manually replicated via means and libraries outside of CAS.
|
cas.authn.oauth.csrf-cookie.comment=CAS Cookie
CAS Cookie comment, describes the cookie's usage and purpose.
|
cas.authn.oauth.csrf-cookie.domain=
Cookie domain. Specifies the domain within which this cookie should be presented. The form of the domain name is specified by RFC 2965. A domain name begins with a dot (.foo.com) and means that the cookie is visible to servers in a specified Domain Name System (DNS) zone (for example, www.foo.com, but not a.b.foo.com). By default, cookies are only returned to the server that sent them.
|
cas.authn.oauth.csrf-cookie.http-only=true
true if this cookie contains the HttpOnly attribute. This means that the cookie should not be accessible to scripting engines, like javascript.
|
cas.authn.oauth.csrf-cookie.max-age=-1
The maximum age of the cookie, specified in seconds. By default,
|
cas.authn.oauth.csrf-cookie.name=
Cookie name. Constructs a cookie with a specified name and value. The name must conform to RFC 2965. That means it can contain only ASCII alphanumeric characters and cannot contain commas, semicolons, or white space or begin with a
|
cas.authn.oauth.csrf-cookie.path=
Cookie path. Specifies a path for the cookie to which the client should return the cookie. The cookie is visible to all the pages in the directory you specify, and all the pages in that directory's subdirectories. A cookie's path must include the servlet that set the cookie, for example, /catalog, which makes the cookie visible to all directories on the server under /catalog. Consult RFC 2965 (available on the Internet) for more information on setting path names for cookies.
|
cas.authn.oauth.csrf-cookie.same-site-policy=
If a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of settings SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute is used so cross-site cookies can only be accessed over HTTPS connections. Accepted values are:
|
cas.authn.oauth.csrf-cookie.secure=true
True if sending this cookie should be restricted to a secure protocol, or false if the it can be sent using any protocol.
|
cas.authn.oauth.access-token.crypto.alg=
The signing/encryption algorithm to use.
|
cas.authn.oauth.access-token.crypto.enabled=true
Whether crypto operations are enabled.
|
cas.authn.oauth.access-token.crypto.encryption-enabled=true
Whether crypto encryption operations are enabled.
|
cas.authn.oauth.access-token.crypto.encryption.key-size=512
The encryption key size.
|
cas.authn.oauth.access-token.crypto.signing-enabled=true
Whether crypto signing operations are enabled.
|
cas.authn.oauth.access-token.crypto.signing.key-size=512
The signing key size.
|
cas.authn.oauth.access-token.crypto.strategy-type=ENCRYPT_AND_SIGN
Control the cipher sequence of operations. The accepted values are:
|
cas.authn.oauth.crypto.alg=
The signing/encryption algorithm to use.
|
cas.authn.oauth.crypto.enabled=true
Whether crypto operations are enabled.
|
cas.authn.oauth.crypto.encryption-enabled=true
Whether crypto encryption operations are enabled.
|
cas.authn.oauth.crypto.encryption.key-size=512
The encryption key size.
|
cas.authn.oauth.crypto.signing-enabled=true
Whether crypto signing operations are enabled.
|
cas.authn.oauth.crypto.signing.key-size=512
The signing key size.
|
cas.authn.oauth.crypto.strategy-type=ENCRYPT_AND_SIGN
Control the cipher sequence of operations. The accepted values are:
|
cas.authn.oauth.uma.resource-set.jpa.pool.keep-alive-time=0
This property controls the keepalive interval for a connection in the pool. An in-use connection will never be tested by the keepalive thread, only when it is idle will it be tested. Default is zero, which disables this feature. This settings supports the
|