Yan,
It is danger indeed.
In a CAS protocol, it's a first premise that all service trusts one CAS
authentication service. According to my understanding, "credential" you
memtioned above, is what you need to log in to CAS service. If those
credential is leaked, the attacker will be able to log
Yan,
The most obvious reason for not returning the password is the loss of security.
Once the password is released, you lose control. You have to trust that the
client app will protect the password while it is in the user's session
(encrypted or not) and that it is stored in a safe manner. (I w
Thanks for the reply.
What we might consider is a strip-down version of very simple
authentication API when CAS is down, app will call it, just so customers
can still get some work done. We will not support SSO with that strip-down
version. There is no write operation on this API, either,
In this case, I suggest you to use another authentication method rather
than still rely on CAS protocol. I was asked to design a plan B for this
incident the other day, but the plan is still not ready until now.
It is hard to make a balance between user experience and security.In my
opinion, p
