Vladyslav, The CAS ST is invalidated on first use and short lived (approx 10s, configurable). If you want your application to create only one JWT, you will need to keep a list of CAS tickets and JWT tickets.
Ray On Wed, 2017-06-21 at 01:38 -0700, Vladyslav Kutsenko wrote: Dear CAS community, We are in process of integrating Apereo CAS with a JavaScript SPA application using JWT ticket. The ticket is generated by CAS and submitted to the rest façade of our application as a ‘ticket’ get parameter. We have some concerns about the ticket being not a one-time ticket and so posing some thread due to its visibility in the url. We consider an implementation using this ticket as a trigger for generating a new JWT inside our service (custom JWT), but the service ticket embedded into the JWT generated by CAS is already validated, so we have no opportunity to invalidate the CAS JWT to prevent multiple custom JWT creation from the same CAS JWT ticket. We would appreciate your suggestions on this topic. Kind regards Vladyslav -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 023 | r...@uvic.ca -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1498061461.2049.28.camel%40uvic.ca.