Hi, I works on Symfony 4 and I want use a SSO Authentication. I saw your library . I saw that it work with guard. I test it and the redirection work to the sso but I don't know how to do when authentication is true but the role ROLE_USER don't exist. On the server symfony I have an error : Access denied, the user is not fully authenticated and redirect user to the sso but he's yet connected. I would like to redirect to template with error message. I need your help to understand.

Next, I would like to adapt your library to Symfony 4.

Thanks.

While CAS Protocol 1.0 & 2.0 defined only a <cas:user> attribute as required in the authentication response, many CAS server implementations release additional attributes. This attribute release can inform the application of details like a user's name, email address, preferred locale, and group membership. The phpCAS library currently supports looking for additional attributes in the CAS response encoded in several common formats. Replicating this support in CasAuthBundle will open-up a number of options to applications using this bundle.

My read on the structure of the Symfony Authenticator/UserProvider/User system is that the proper place for attribute parsing and structuring would be in the CasUserProvider. The CasUserProvider would need access to the serviceValidate response XML though, so that would need to be provided to it by the CasAuthenticator prior to $userProvider->loadUserByUsername() being called. I'll have to investigate further how to properly expose a mechanism for passing data from the CasAuthenticator to the CasUserProvider that won't cause problems if there are multiple Authenticators or UserProviders configured into the application.

I fail to understand how to use the options configuration of this bundle. The Configuration defines it as an array of scalars and (if I'm not mistaken) the Guzzle Client expects an associative array of the form ['config key' => 'value'].

So it seems I need to use it like so :

p_rayno_cas_auth:
    …
    options:
        some_option_1: "some_value_1"
        some_option_2: "some_value_2"

When the bundle's config only accepts

p_rayno_cas_auth:
    …
    options:
        - "some_scalar_1"
        - "some_scalar_2"

Am I missing something?

Hello, many thanks for your great efforts! Really appreciate your time and your helpful bundle :)
I am wondering if I can use this CAS bundle for Symfony 6 or 5.4 for now?

Thank you again!

This exception can be thrown when a ticket query parameter is set but it is not valid or there was some other issue. The comment on getCredentials() is no longer true. The interface documentation reads @throws \UnexpectedValueException If null is returned. It actually think we are supposed to return false or an empty array instead.

Uncaught PHP Exception UnexpectedValueException: "The return value of "PRayno\CasAuthBundle\Security\CasAuthenticator::getCredentials()" must not be null. Return false from "PRayno\CasAuthBundle\Security\CasAuthenticator::supports()" instead." at ../vendor/symfony/security/Guard/Firewall/GuardAuthenticationListener.php line 119

I want to use this library to make calls to the CAS server, but there are not really Docs! to see an example of a call!

if someone could put me an example call from are controller.

Thanks

Hi,
First : thank you for this simple and useful Bundle. but when I try to use it I get this exception : There is no user provider for user "Symfony\Component\Security\Core\User\User"

Any Idea please ?...

Thank's,
Abou

Although server_logout_url is a configuration option, and it is even included in the example yaml, it is not used anywhere in the bundle.

Not sure if I can ask this here, but anyway:

I see the configuration includes a server_logout_url option,
but does the bundle allow logging out of CAS in any way?

Or do I have to implement my own LoggoutSuccessHandler?

Hi,

I tried to install your bundle and everything was OK.

But when i start symfony project, nothing works and i have the current error:

PHP Fatal error: Uncaught Symfony\Component\Debug\Exception\UndefinedMethodException: Attempted to call an undefined method named "getRootNode" of class "Symfony\Component\Config\Definition\Builder\TreeBuilder". in /vendor/prayno/casauth-bundle/PRayno/CasAuthBundle/DependencyInjection/Configuration.php:22

Could you help me ?

I'm on linux and i use Symfony 3.4

Thanks

Every time an unauthenticated client hits a path in a firewall there is an uncaught AuthenticationCredentialsNotFoundException. I think this only occurs in SF4 so it could be a framework bug. In SF3, the CRITICAL below is silently caught.

SF 4.1.0:

[2018-06-14 19:08:39] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"main","authenticators":1} []
[2018-06-14 19:08:39] security.DEBUG: Calling getCredentials() on guard configurator. {"firewall_key":"main","authenticator":"PRayno\\CasAuthBundle\\Security\\CasAuthenticator"} []
[2018-06-14 19:08:39] request.CRITICAL: Uncaught PHP Exception Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException: "A Token was not found in the TokenStorage." at /Users/cjm/Sites/vipre/vendor/symfony/security/Http/Firewall/AccessListener.php line 51 {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationCredentialsNotFoundException(code: 0): A Token was not found in the TokenStorage. at /Users/cjm/Sites/vipre/vendor/symfony/security/Http/Firewall/AccessListener.php:51)"} []
[2018-06-14 19:08:39] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationCredentialsNotFoundException(code: 0): A Token was not found in the TokenStorage. at /Users/cjm/Sites/vipre/vendor/symfony/security/Http/Firewall/AccessListener.php:51)"} []

This is what the same event logs in SF 3.4.11:

[2018-06-14 19:34:30] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"main","authenticators":1} []
[2018-06-14 19:34:30] security.DEBUG: Calling getCredentials() on guard configurator. {"firewall_key":"main","authenticator":"PRayno\\CasAuthBundle\\Security\\CasAuthenticator"} []
[2018-06-14 19:34:30] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationCredentialsNotFoundException(code: 0): A Token was not found in the TokenStorage. at /Users/cjm/Sites/vipre/vendor/symfony/security/Http/Firewall/AccessListener.php:51)"} []

Hello. Sorry if this is the wrong place to ask, but I didn't know how else to contact you. I am using the now defunct BeSimpleSsoAuthBundle and am looking for a S3 friendly replacement. I was going to build my own approach using Guard, but it looks like you all have already done a nice job here, and I generally think it would be better to have a public open source CAS option out there with active users and developers. So thank you for this project! Are you open to other developers contributing to the project? I see there are 3 issues open right now. Those aside, do you feel the bundle is currently stable and production-ready? Are you running it in production? Do you know if other third parties are running it?

Thanks,
Phil

Thank you for your useful Bundle. I followed your documentation about the installation of the CAS client and i think that i misunderstood something.
When I return to my application (after login), I have a message like this :

{"message":"Username could not be found."}

I just created a new Symfony 3.4 project and I did the configuration like in your documentation. So in your CasAuthenticator, I add a var_dump :

`public function getUser($credentials, UserProviderInterface $userProvider){

    if (isset($credentials[$this->username_attribute])) {
        var_dump($userProvider);
        return $userProvider->loadUserByUsername($credentials[$this->username_attribute]);
    } else {
        return null;
    }
}`

And surprise, it returns :

object(Symfony\Component\Security\Core\User\InMemoryUserProvider)#241 (1) {
["users":"Symfony\Component\Security\Core\User\InMemoryUserProvider":private]=>
NULL
}
{"message":"Username could not be found."}

I don't understand why the provider is NULL. For the precision, it's the default userProvider use in your Bundle.
Thank you for your answer.

This is dependent on attributes being loaded (Issue #5).

Rather than only assigning the static ROLE_USER to all users who can authenticate via CAS, I'd like to be able to assign configurable roles based on user-attribute values.

For example, imagine a school with guests, students, faculty, and administrators. One application should only be available to students and faculty, so a configuration like the following might be used:

p_rayno_cas_auth:
    server_login_url: https://server.example.edu/cas/
    ...
    attribute_role_mapping:
        ROLE_USER:
            attribute_key: 'Status'
            attribute_values: ['Student', 'Faculty']
        ROLE_ADMINISTRATOR:
            attribute_key: 'MemberOf'
            attribute_values: ['CN=AdministratorsGroup,OU=Groups,DC=example,DC=edu']

If no attribute_role_mapping was defined, the existing behavior of all users getting ROLE_USER would be maintained.

There are likely other ways of mapping attributes to roles, both inside the CasAuthBundle or outside it after successful authentication. Any feedback on preferred ways of approaching this would be welcome.

I've noticed that the parameter "server_logout_url" is not used anywhere, so when I logout, I do just localy, when I try to login the 2nd time, I happens automatically because I'm always connected on sso server.

I've installed your bundle in my project, but I need to override your service because it uses a file_get_content of an url (it's not possible in my environment).

When I extend your CasAuthenticator class to override the getCredentials method, I get an error because attributes are private. Was your intention to avoid it being extended?
Do you want me to modify the visibility for those properties?

Thank you for your work on this bundle!

https://github.com/symfony/symfony/blob/master/UPGRADE-4.2.md#config

It should be possible to handle single logout signals from CAS servers as documented in the spec. This could perhaps be something that could be activated in the service container optionally.

With Symfony 4.3, it works like a charm.

When I update to 4.4, I have a redirect loop and I can not be authenticate.
When I look in dev logs, I find :

[2020-03-04 11:30:14] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"cas","authenticator":"PRayno\CasAuthBundle\Security\CasAuthenticator"} []
...
[2020-03-04 11:30:14] doctrine.DEBUG: SELECT ...
[2020-03-04 11:30:14] security.INFO: Guard authentication successful! {"token":"[object] (Symfony\Component\Security\Guard\Token\PostAuthenticationGuardToken: PostAuthenticationGuardToken(user="xxxxxxxx", authenticated=true, roles="ROLE_ADMIN_"))","authenticator":"PRayno\CasAuthBundle\Security\CasAuthenticator"} []
[2020-03-04 11:30:14] security.DEBUG: Guard authenticator set success response. {"response":"..."}
[2020-03-04 11:30:14] security.DEBUG: Remember me skipped: it is not configured for the firewall. {"authenticator":"PRayno\CasAuthBundle\Security\CasAuthenticator"} []
[2020-03-04 11:30:14] security.DEBUG: The "PRayno\CasAuthBundle\Security\CasAuthenticator" authenticator set the response. Any later authenticator will not be called {"authenticator":"PRayno\CasAuthBundle\Security\CasAuthenticator"} []
[2020-03-04 11:30:14] security.DEBUG: Stored the security token in the session. {"key":"_security_cas"} []
[2020-03-04 11:30:14] request.INFO: Matched route "diret".
[2020-03-04 11:30:14] security.DEBUG: Read existing security token from the session. {"key":"_security_cas","token_class":"Symfony\Component\Security\Guard\Token\PostAuthenticationGuardToken"} []
[2020-03-04 11:30:14] doctrine.DEBUG: SELECT...
[2020-03-04 11:30:14] security.DEBUG: Cannot refresh token because user has changed. {"username":"xxxxxxxx","provider":"Symfony\Bridge\Doctrine\Security\User\EntityUserProvider"} []
[2020-03-04 11:30:14] security.DEBUG: Token was deauthenticated after trying to refresh it. [] []
[2020-03-04 11:30:14] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"cas","authenticators":1} []
[2020-03-04 11:30:14] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"cas","authenticator":"PRayno\CasAuthBundle\Security\CasAuthenticator"} []
> [2020-03-04 11:30:14] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"cas","authenticator":"PRayno\CasAuthBundle\Security\CasAuthenticator"} []
[2020-03-04 11:30:14] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2020-03-04 11:30:14] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point.

Any idea how to solve this problem ?
Thanks !