LOGOUT_URL doesnot work if its not HTTPS & SLO (Single log out) messages not being sent. about django-mama-cas HOT 26 OPEN

@manelclos I agree that sensitive information should be HTTPS. But my question is that in a development environment, where it may not have HTTPS all the time, does django-mama-cas still needs HTTPS in LOGOUT_URL?

from django-mama-cas.

@manelclos Thanks a lot for your reply and providing the example. Have you tested django-mama-cas server with 'MAMA_CAS_SERVICES'
because the way you have configured CAS server it is operating in "open mode".

So can you once check if you configure 'MAMA_CAS_SERVICES' in settings.py of cas server, does it work properly? If you can update the config after testing this, that will really help to resolve the issue. Thanks again. :)

from django-mama-cas.

@BarnabasSzabolcs do you mean 'LOGOUT_URL': 'http://127.0.1.1:80/accounts/callback' in the MAMA_CAS_SERVICES?

thanks，I have the same problem.

from django-mama-cas.

FYI I am using:

django-mama-cas==2.3.0 (as server)
django-cas-ng==3.5.8 (on the client side)

from django-mama-cas.

Hi @amanjots,

Of course you want HTTPS every time sensitive information like tokens or cookies travel across the network.

I'd say it is trying to use a proxy and it is not configured correctly, or you are not listening on the 443 port, I mean, it doesn't look like a CAS problem, but a network configuration problem.

from django-mama-cas.

I tried to trace all the django requests being sent or received. with django-request. And, I found that when a user clicks on Logout, he is logged out of the app, but there is no POST request sent for SLO messages to the other apps. So, user remains signed in the other apps.

from django-mama-cas.

I don't think so. I'll try to do some testing using the repository from #59 to check for both issues.

from django-mama-cas.

Ops, previous response if for previous comment. About your new comment, I think there is some bad configuration on your side.

from django-mama-cas.

Can you check that in the client you are using

CAS_LOGOUT_COMPLETELY = True
CAS_VERSION = '3'

and that you have this in your urls.py?

from django_cas_ng import views as cas_views

urlpatterns = [
    ...
    url(r'^accounts/login/$', cas_views.login, name='login'),
    url(r'^accounts/logout/$', cas_views.logout, name='logout'),
    url(r'^admin/logout/$', cas_views.logout),
    ....

from django-mama-cas.

@manelclos yes the client has settings (CAS_LOGOUT_COMPLETELY = True & CAS_VERSION = '3'). In the URLs of the first django virtual environment, the Wagtail's admin authentication is to be handled by the django-ng-cas client, so the urls are:

    url(r'^admin/login/$', cas_views.login, name='cas_ng_login'),
    url(r'^admin/logout/$', cas_views.logout, name='cas_ng_logout'),
    url(r'^accounts/callback$', cas_views.callback, name='cas_ng_proxy_callback'),

And, the third virtual environment is having django-helpdesk, and to use CAS for its authentication I have changed the url's to following:

    url(r'^login/$', cas_views.login, name='cas_ng_login'),
    url(r'^logout/$', cas_views.logout, name='cas_ng_logout'),
    url(r'^accounts/callback$', cas_views.callback, name='cas_ng_proxy_callback'),

As per this tutorial , the callback "url processes logout request that comes from the CAS server." That's why I have used it in this way, and have also tried 'admin/callback' or 'accounts/callback' or even commenting it out as well.

In the above config, single sign-on works perfectly fine. But, single log out doesn't work at all.

from django-mama-cas.

I've never used the callback setting in urls.py.

from django-mama-cas.

@manelclos: I have tried without callback setitngs also, and SLO still doesn't work.

Further, I saw that you had found an issue with SLO before and tested it to work properly in #27

Can you please share the settings (from settings.py) and URLs of django-mama-cas and django-cas-ng that works for you? Thanks.

from django-mama-cas.

Hi @amanjots, I got some time today for testing this. Maybe you are missing this on the settings.py of the server (mama_cas):

MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True

I've fixed the SSO and SLO configurations so they are working in this example: https://github.com/manelclos/django-cas-test

See that when you log out from "cas_client" (app1) the cookie for the cas_server is deleted and also the one for "cas_client" (app1). "second_client" (app2) cookie is not deleted until you access "second_client" again.

Let me know if you get it working with the example repository.

from django-mama-cas.

from django-mama-cas.

@manelclos Thanks again. Can you please add 'MAMA_CAS_SERVICES' configuration that you tested to be working to https://github.com/manelclos/django-cas-test ?

from django-mama-cas.

Sure thing, see here: manelclos/django-cas-test@f1b1dd9

On the server you can check:

$ python manage.py checkservice http://127.0.0.1
Invalid service: http://127.0.0.1

$ python manage.py checkservice http://127.0.0.1:8001
Valid service: http://127.0.0.1:8001
  Proxy allowed: True
  Logout allowed: True
  Logout URL: None
  Callbacks: 

from django-mama-cas.

@amanjots is this issue fixed?

from django-mama-cas.

@manelclos I will have to do the testing again soon. Actually, the project structure that I was working on is changed completely. So, I will have to setup my separate project to test this issue. Kindly allow me few days to ensure this issue is resolved. Thanks.

from django-mama-cas.

Thanks for the description - from this thread I figured out how to make this mama-client thing going. For me also does not work the single log out in local development mode if I use http protocol. I'll check on staging, if it works with https.

Manel, ( @manelclos ) I have a multi-language multi-domain site. I have - as you suggested:

settings.py:

MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True
CAS_LOGOUT_COMPLETELY = True
CAS_VERSION = '3'

urls.py:

    path('accounts/', include('django.contrib.auth.urls')),
    url(r'^cas/', include('mama_cas.urls')),
    path('accounts/login', django_cas_ng.views.LoginView.as_view(), name='cas_ng_login'),
    path('accounts/logout', django_cas_ng.views.LogoutView.as_view(), name='cas_ng_logout'),
    url(r'^admin/logout/$', django_cas_ng.views.LogoutView.as_view()),

• first I log in on Site1
• then I go to Site2 and get automatically logged in
• now I log out on Site2
• expect to get logged out on Site1 but I stay logged in.

What am I missing?

Probably relevant part of my requirements.txt:

django-cas-ng==3.6.0
django-hosts==3.0
django-mama-cas==2.4.0
django==2.2.2

from django-mama-cas.

Ok, now I've figured out. MAMA CAS calls back the relevant CAS clients and says goodbye.
For that MAMA CAS has to be said where to say good bye (it is done using the MAMA_CAS_SERVICES config variable) and the client has to provide a place for calling back (in case of DJANGO_CAS_NG it is CallbackView - they recommend setting "/acconts/callback" as AP).

from django-mama-cas.

@lluww probably yes. My solution was to put my server behind nginx, locally.

from django-mama-cas.

The fact that request.user is AnonymousUser in the LogoutView function means that the logout_user(request) function will not be executed, resulting in a single logout failure, but I can't find a solution.

from django-mama-cas.

@BarnabasSzabolcs
thanks，I will configure nginx and try again, only change 'LOGOUT_URL' doesn't work.

from django-mama-cas.

@lluww
Ah, one more thing: with nginx I use mkcert https://github.com/FiloSottile/mkcert to generate local ssh certificates.

ssl_certificate /full/path/to/mypage.test-fullchain.pem;
ssl_certificate_key /full/path/to/mypage.test-key.pem;

and then mama-cas works fine for me. (otherwise I get some weird redirect on logout... something like http://127.0.0.1:8000/http://127.0.0.1:8000/)

from django-mama-cas.

@BarnabasSzabolcs Oh, I know my problem. I guess I forget to add 'django_cas_ng.middleware.CASMiddleware' in client app's setting.MIDDLEWARE. After that I can single-logout.

I haven't install nginx
this is my logout url:
Request URL: http://127.0.0.1:8000/logout?service=http%3A%2F%2F127.0.1.2%3A8000%2F
Request Method: GET
Status Code: 302 Found
Remote Address: 127.0.0.1:8000

#setting.py server
MAMA_CAS_SERVICES = [
{
'SERVICE': 'http://127.0.1.1:8000',
'CALLBACKS': [
'mama_cas.callbacks.user_model_attributes',
],
'LOGOUT_ALLOW': True,
'LOGOUT_URL': 'http://127.0.1.1:8000/accounts/callback',
'PROXY_ALLOW': True,
# 'PROXY_PATTERN': '^https://proxy.example.com',
},
{
'SERVICE': 'http://127.0.1.2:8000',
'CALLBACKS': [
'mama_cas.callbacks.user_model_attributes',
],
'LOGOUT_ALLOW': True,
'LOGOUT_URL': 'http://127.0.1.2:8000/accounts/callback',
'PROXY_ALLOW': True,
# 'PROXY_PATTERN': '^https://proxy.example.com',
}
]
MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True

#setting.py client
ALLOWED_HOSTS = ['127.0.1.2']

CAS_SERVER_URL = 'http://127.0.0.1:8000'

CAS_VERSION = '3'

CAS_APPLY_ATTRIBUTES_TO_USER = True

CAS_LOGOUT_COMPLETELY = True

AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'django_cas_ng.backends.CASBackend',
)

from django-mama-cas.

Hello, I have a problem in making a logout system using mama cas, I can't get service at the login URL after logging out.
How to get service in URL when logout using mama cas?

from django-mama-cas.