OpenID Connect With CAS User Guide

Overview

OpenID Connect is a protocol for authenticating users, built on top of the OAuth 2.0 authorization framework. Using CAS, you can act as an OpenID Connect Provider (OP), authenticating users using the OpenID Connect (OIDC) protocol, or as a relying party (RP) that requests user authorization from an OP.

Terminology

Access token A credential that is used to access protected resources. An access token is a string, and represents an authorization that is issued to the client. Authorization Endpoint A resource on an OpenID Provider that accepts an authorization request from a client to perform authentication and authorization on a user. The authorization endpoint returns an authorization grant (or code) to the client in the Basic Client Profile. In the Implicit Client Profile, the authorization endpoint returns an ID token and access token to the client. The authorization grant is a credential that represents a user’s authorization to access resources. This credential is used by a client to obtain an access token. Claim Information that is asserted about an entity. Examples of a claim include a phone number, given name, or surname.ID token A JSON Web Token (JWT) that contains claims about the authenticated user.Introspection EndpointA resource on an OpenID Provider that enables a client that holds an access token to retrieve information. The information is used to create the access token (such as the user name, granted scopes, or client ID).OpenID Provider (OP) An OAuth 2.0 authorization server that can provide claims to a client, or Relying Party (RP). Refresh TokenA token that is issued to the client by the OP. The token is used to obtain a new access token when the current access token expires or to obtain more access tokens. Relying Party (RP)Either a WebSphere Application Server configured as an OpenID Connect Client, or a client application that requires claims from an OpenID Provider (OP). Scope Privilege or permission that is allowed to access resources of a third party.Token EndpointA resource on an OpenID Provider that accepts an authorization grant (or code) from a client in exchange for an access token, ID token, and refresh token.

Endpoints

authorization_endpoint	“https://cas1.apiit.edu.my/cas/oidc/authorize“
token_endpoint	“https://cas1.apiit.edu.my/cas/oidc/accessToken“
userinfo_endpoint	“https://cas1.apiit.edu.my/cas/oidc/profile“
registration_endpoint	“https://cas1.apiit.edu.my/cas/oidc/register“
end_session_endpoint	“https://cas1.apiit.edu.my/cas/logout“
introspection_endpoint	“https://cas1.apiit.edu.my/cas/oidc/introspect“
revocation_endpoint	“https://cas1.apiit.edu.my/cas/oidc/revoke“
jwks_uri	“https://cas1.apiit.edu.my/cas/oidc/jwks“

Example with a python client

First create a new virtual Environment and then install the followings:

$ pip install flask
$ pip install requests requests_oauthlib

Then in your application.py can be as follows:

from random import SystemRandom
from flask import Flask, request, redirect, session, url_for
from requests_oauthlib import OAuth2Session
import requests
from jose import jwt

random = SystemRandom()

keys = requests.get('https://cas1.apiit.edu.my/cas/oidc/jwks').json()

app = Flask(__name__)
app.secret_key = 'super secret key'

# To use http for openid Connect 
import os 
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'

CONFIG = {
    'client_id': 'this will be provided by CAS after you have registered your service successfully',
    'client_secret': "this will be provided by CAS after you have registered your service successfully",
    'auth_url': 'https://cas1.apiit.edu.my/cas/oidc/authorize',
    'token_url': 'https://cas1.apiit.edu.my/cas/oidc/accessToken',
    'scope':['urn:globus:auth:scope:api.globus.org:all'],›
    'redirect_uri': "http://localhost:5000/callback"
}

OIDC_CONFIG = {
    'jwt_pubkeys': keys,
    'scope': ['openid', 'email', 'profile'],
    'expected_issuer': 'https://cas1.apiit.edu.my/cas/oidc',
    'algorithm': 'RS256',

}
authorization_response = input('http://localhost:5000/callback')

CONFIG.update(OIDC_CONFIG)

@app.route('/login', methods=['GET'])
def login():
    provider = OAuth2Session(client_id=CONFIG['client_id'],
                             scope=CONFIG['scope'],
                             redirect_uri=CONFIG['redirect_uri'])
    nonce = str(random.randint(0, 1e10))

    url, state = provider.authorization_url(CONFIG['auth_url'],
                                            nonce=nonce)
    session['oauth2_state'] = state
    session['nonce'] = nonce
    return redirect(url)

@app.route('/callback', methods=['GET'])
def callback():
    provider = OAuth2Session(CONFIG['client_id'],
                             redirect_uri=CONFIG['redirect_uri'],
                             authorization_response=authorization_response,
                             state=session['oauth2_state'])
    response = provider.fetch_token(
                        token_url=CONFIG['token_url'],
                        client_secret=CONFIG['client_secret'])

    session['access_token'] = response['access_token']
    id_token = response['id_token']
    claims = jwt.decode(id_token,
                        key=CONFIG['jwt_pubkeys'],
                        issuer=CONFIG['expected_issuer'],
                        audience=CONFIG['client_id'],
                        algorithms=CONFIG['algorithm'],
                        access_token=response['access_token'])
    assert session['nonce'] == claims['nonce']
    session['user_id'] = claims['sub']
    session['user_email'] = claims['email']
    session['user_name'] = claims['name']
    return redirect(url_for('index'))