OAuth and OIDC at UC Davis
- Travis Schmidt (Unlicensed)
Analytics
Overview
OAuth 2.0 and OIDC protocols are offered as part of the CAS SSO server here at UC Davis. This means an SSO session will be created and used for logging in users from either OAuth or CAS protocols. Code or Implicit flows are supported in the current version in production, but Hybrid flows that combine the two are currently not supported. The current version deployed is suitable for third-party integrations and locally deployed services that can be redirected to a single domain, and token lifespans are the equivalent to CAS sessions length. The next CAS version will be able to define multiple redirect domains to a single service including localhost. A service provider will also be able to set code and token lifespans by service, allowing short lived tokens to be created for one-time-access to sensitive REST APIs for instance.
Endpoints
| Endpoint | Description | Method |
|---|---|---|
/cas/oauth2.0/authorize | Authorize the user and start the CAS authentication flow. | GET |
/cas/oauth2.0/accessToken,/oauth2.0/token | Get an access token in plain-text or JSON | POST |
/cas/oauth2.0/profile | Get the authenticated user profile in JSON via access_token parameter. | GET |
/cas/oauth2.0/introspect | Query CAS to detect the status of a given access token via introspection. | POST |
/cas/oauth2.0/device | Approve device user codes via the device flow protocol. | POST |
| Endpoint | Description |
|---|---|
/cas/oidc/.well-known | The discovery endpoint used to query for CAS OIDC configuration information and metadata. |
/cas/oidc/.well-known/openid-configuration | Same as above. |
/cas/oidc/jwks | Contains the server’s public signing keys, which clients may use to verify the digital signatures of access tokens and ID tokens issued by CAS. |
/cas/oidc/authorize | Authorization requests are handled here. |
/cas/oidc/profile | User profile requests are handled here. |
/cas/oidc/introspect | Query CAS to detect the status of a given access token via introspection. |
/cas/oidc/accessToken, /oidc/token | Produces authorized access tokens. |
/cas/oidc/revoke | Revoke access or refresh tokens. |
Response/Grant Types
Authorization Code
| Endpoint | Parameters | Response |
|---|---|---|
/cas/oauth2.0/authorize | response_type=code&client_id=<ID>&redirect_uri=<CALLBACK> | OAuth code as a parameter of the CALLBACK url. |
/cas/oauth2.0/accessToken | grant_type=authorization_code&client_id=ID &client_secret=SECRET&code=CODE&redirect_uri=CALLBACK | The access token. |
Token/Implicit
| Endpoint | Parameters | Response |
|---|---|---|
/cas/oauth2.0/authorize | response_type=token&client_id=ID&redirect_uri=CALLBACK | The access token as an anchor parameter of the CALLBACK url. |
Password
| Endpoint | Parameters | Response |
|---|---|---|
/cas/oauth2.0/accessToken |
| The access token. |
Client Credentials
| Endpoint | Parameters | Response |
|---|---|---|
/cas/oauth2.0/accessToken | grant_type=client_credentials&client_id=client&client_secret=secret | The access token. |
Refresh Token
| Endpoint | Parameters | Response |
|---|---|---|
/cas/oauth2.0/accessToken | grant_type=refresh_token&client_id=<ID>&client_secret=SECRET&refresh_token=REFRESH_TOKEN | The new access token. |
Registering OAuth Services
Registering a new OAuth Service into CAS requires you to visit https://casmgr.ucdavis.edu/oauth. You add a new service by selecting either "Add OAuth Service" or "Add OIDC Service" form the navigation menu on the left hand side
The First tab is identical to registering any other service into CAS. Instead of Service or Login URL, you will create a regular expression to covering the Redirect URIs that will be used in your authentication calls.
The OAuth Tab represents the OAuth credentials and other settings used by the protocol when authorizing services.
The two most important fields in the tab shown above are the Client ID and the Client Secret. You will need to make note of these to configure your OAuth client or need to provide them to a third-party vendor integration. The Id and Secret fields are generated for you, and you can generate new values by using the "Refresh" buttons next to each field. They are also open to edit, but submitting weak client credentials will be rejected.
By default, CAS will prompt the user for approval to grant a token on their behalf to the requested service. This is only comes into play with flows that use the CAS UI to gather credentials.
The Attributes tab allows you to chose which attributes to release as part of the response to the /profile endpoint.
Clicking on field in the source column will open drop selection box with available attributes to choose from. Selecting an option will fill the Source and Mapped To columns with the same value. If you need to release the value with a different "id", just change the value in the Mapped To column to the desired attribute name.
After Saving a new service it will be in the "Pending" list until a CAS Admin reviews and approves it.
After approval by a CAS Admin, the server will appear in "Your Services" and be marked as "Staged"
Your new server is now available to be used on stage.cas.ucdavis.edu. For this initial roll out of these new protocols, we are asking that you test your integration on "stage" first before promoting it to production. This may introduce some challenges, especially with third-party vendors and this requirement will be reviewed going forward.
Once you have verified your integration on stage, you can request that the service be promoted to Production CAS, by selecting the hamburger next to your service and selecting "Promote".
A CAS Admin will approve your request and you will be notified by email when the service is available in production.
https://apereo.github.io/cas/6.0.x/installation/OAuth-OpenId-Authentication.html
https://apereo.github.io/cas/6.0.x/installation/OIDC-Authentication.html