Reputation: 3330
Combining CAS with OAuth
We are already using CAS for single sign on for several web applications that we are hosting. Now we are going to deploy several HTTP/REST services in our network and those need authentication and authorization.
Would it be a good idea to combine CAS with OAuth ?
Users would still use CAS for SSO, but additionally login procedure would issue OAuth ticket that would be used to access REST services.
Upvotes: 0
Views: 463
Answers (2)
Reputation: 4318
REST services can be protected via CAS proxy authn. Additionally, they can be integrated with OAuth. CAS provides both OAuth and OIDC protocol functionality as well.
Upvotes: 1
Reputation: 54088
That's certainly valid. OAuth 2.0 doesn't specify/dictate how the user (Resource Owner) is authenticated and CAS/SSO is fine for that. Effectively you'd be leveraging a CASified Authorization Server so that the Resource Owner authenticates with CAS to the Authorization Server, which is "just" an application to the CAS SSO system. The Authorization Server would then issue an access token down to the Client so that the Client can use that access token to access the protected resources i.e. the REST services.
Upvotes: 0
Related Questions
- spring security openid connect request for access token implementation doesn't align cas api requirement
- Specify what CAS should return after authentication
- Cas 6.1.x OAuth client_credentials with scope
- Apereo CAS attribute caching
- Redirection error with CAS Oauth authentication
- Does CAS 4.0.1 support OAuth Grant Type "Implicit"?
- CAS OAuth Authentication Using Google OAuth 2.0 and Using Yahoo OAuth 1.0
- Single Sign on to secure REST APIs and internal web based system
- service provider login oauth
- Authenticating from a "child" application via CAS