Connect CAS
Connect cas is a connect-based middleware that allows you to authenticate through a CAS 2.0+ server. It supports the gateway auth, single sign-out, and proxying other CAS clients.
Adapted from https://github.com/jmarca/cas_validate
Installation
npm install connect-cas
Options
Many of these options are borrowed from node's url documentation. You may set global options through the .configure()
method or override them with any of the exposed middleware.
-
protocol
The protocol to communicate with the CAS Server. Defaults to 'https'. -
host
CAS server hostname -
port
CAS server port number. Defaults to 443. -
gateway
Send all validation requests through the CAS gateway feature. Defaults to false. -
paths
-
serviceValidate
Path to validate TGT -
proxyValidate
Path to validate PGT (not implemented) -
proxy
Path to obtain a proxy ticket -
login
Path to the CAS login
-
-
agentOptions
- Options used when making requests to the CAS server (see request's docs here)
Usage
var cas = require('connect-cas');
var connect = require('connect');
connect()
.use(connect.cookieParser('hello world'))
.use(connect.cookieSession()) // or whatever session store
.use(cas.serviceValidate())
.use(cas.authenticate())
Complete Example
A more complete example of a simple Express app that uses CAS for login, displays the CAS username, and offers a logout link can be found in the example
folder. You'll need to copy example/app.js
to your own folder and install its dependencies:
npm install express
npm install connect-cas
Express is required only for the example app. It is not required for connect-cas
.
Proxy Tickets
To proxy services, you can configure the serviceValidate
middleware like below:
connect()
...
.use(cas.serviceValidate({pgtUrl: '/pgtCallback'}))
.use(cas.proxyTicket({targetService: 'https://service-to-proxy/blah'});
...
The proxy granting ticket value will be available in req.session.pgt
and a hash of proxy tickets are available in req.pt
. You may then append that proxy ticket manually to the services you wish to proxy. To reuse the proxy tickets, see #25.
You may also pass in an absolute url if you wish for the pgtCallback to be in a separate app. If so, pass in an additional pgtFn
:
connect()
.use(cas.serviceValidate({pgtUrl: 'https://some-server.com/pgtCallback', pgtFn:function(pgtIou, cb){
// given the pgtIou, retrieve the pgtId however you can. Then call ...
cb(err, 'PGT-thepgtid');
}));
Notes
- If you are behind an https proxy, be sure to set
X-Forwarded-Proto
headers. Connect-cas uses it to infer its own location for redirection.
License
MIT