NAME

Plack::Auth::SSO::CAS - implementation of Plack::Auth::SSO for CAS

SYNOPSIS

    #in your app.psgi

    builder {

        mount "/auth/cas" => Plack::Auth::SSO::CAS->new(

            session_key => "auth_sso",
            uri_base => "http://localhost:5000",
            authorization_path => "/auth/cas/callback",
            error_path => "/auth/error"

        )->to_app;

        mount "/auth/cas/callback" => sub {

            my $env = shift;
            my $session = Plack::Session->new($env);
            my $auth_sso = $session->get("auth_sso");

            #not authenticated yet
            unless($auth_sso){

                return [403,["Content-Type" => "text/html"],["forbidden"]];

            }

            #process auth_sso (white list, roles ..)

            [200,["Content-Type" => "text/html"],["logged in!"]];

        };

        mount "/auth/error" => sub {

            my $env = shift;
            my $session = Plack::Session->new($env);
            my $auth_sso_error = $session->get("auth_sso_error");

            unless ( $auth_sso_error ) {

                return [ 302, [ Location => $self->uri_for( "/" ) ], [] ];

            }

            [ 200, [ "Content-Type" => "text/plain" ], [
                "Something went wrong. User could not be authenticated against CAS\n",
                "Please report this error:\n",
                $auth_sso_error->{content}
            ]];

        };

    };

DESCRIPTION

This is an implementation of Plack::Auth::SSO to authenticate against a CAS server.

It inherits all configuration options from its parent.

CONFIG

cas_url

base url of the CAS service

LOGGING

All subclasses of Plack::Auth::SSO use Log::Any to log messages to the category that equals the current package name.

ERRORS

Cf. https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#253-error-codes

When a ticket arrives, it is checked against the CAS Server. This can lead to the following situations:

* an error occurs. This means that the CAS server is down, or returned an unexpected response. The error type is "unknown":

    {
        package => "Plack::Auth::SSO::CAS",
        package_id => "Plack::Auth::SSO::CAS",
        type => "unknown",
        content => "server could not complete request"
    }

* the ticket is rejected by the CAS server. When the authentication code is "TICKET_INVALID" the user is redirected back to the CAS server. In other cases the type equals the authentication code, and content equals the error description.

    {
        package => "Plack::Auth::SSO::CAS",
        package_id => "Plack::Auth::SSO::CAS",
        type => "INVALID_SERVICE",
        content => "invalid service"
    }

TODO

* add an option to ignore validation of the SSL certificate of the CAS Service? For now you should set the environment like this:

    export SSL_VERIFY_NONE=1
    export PERL_LWP_SSL_VERIFY_HOSTNAME=0

AUTHOR

Nicolas Franck, <nicolas.franck at ugent.be>

SEE ALSO

Plack::Auth::SSO