Hi, Last major topic I'm thinking about :
Based on my understanding, we have now one major strategy to integrate additionnal protocol : using the /login url with new parameters to provide new behaviours, i.e. new action in webflow, new extractor, new service class... That's what is done for Google Accounts (SAML) support and for OpenId support (server support). That's what I did for OAuth client support. But for OAuth server support, I choose another strategy : separate server OAuth endpoints (new urls) and login process (/login url) : to sum up, a request is send to an OAuth server url (/oauth/authorize) which is delegated to the /login CAS process with an internal callback OAuth service which makes successfull CAS authentication redirect user to an OAuth callback url (/oauth/callback) to continue the OAuth authentication process. As supporting new protocols (https://wiki.jasig.org/display/CAS/CAS+Roadmap, https://wiki.jasig.org/pages/viewpage.action?pageId=28574039) is one of the main CAS purposes, I'm wondering about the right strategy to integrate external protocols (including OAuth). Overriding the /login process seems to me like a limited solution as it makes things more complicated to understand and maintain and I'm not sure we can even make all protocols work at the same spot. Even if adding external protocol outside the login process may arise the need to redirect to and back from the login process with an internal protocol specific CAS service, it sounds to me a like a good solution. As CAS is a web SSO, shouldn't we take a some kind of "REST approach" ? Exposing external protocols through new urls and keep /login url dedicated to the login process and the CAS protocol use ? We would have a complete vision of the CAS features through its urls. As an example, I would propose exposing these "normalized" urls : /oauth/server/2.0 : sub urls (/authorize, /access_token, /profile) are used to handle authorize, access token and profile calls for OAuth protocol 2.0 /oauth/client/login : with provider parameter, this url could be referenced in CAS login page to delegate authentication to external OAuth provider (like Facebook) /oauth/client/callback : this is the url where the user is redirected after being authenticated at the OAuth provider /openid/ids/xxx : OpenId identifier for user xxx /openid/server/1.1 : identity provider url for OpenID 1.1 protocol /login : dedicated to login process and CAS support ... I don't know if it has been already discussed or if it's too soon to address it, but I think it's worth bringing this into discussion... Best regards, Jérôme -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
