Connect cas is a connect-based middleware that allows you to authenticate through a CAS 2.0+ server. It supports the gateway auth, single sign-out, and proxying other CAS clients.
Adapted from https://github.com/jmarca/cas_validate
npm install connect-cas
Many of these options are borrowed from node's url documentation. You may set global options through the .configure()
method or override them with any of the exposed middleware.
procotol
The protocol to communicate with the CAS Server. Defaults to 'https'.host
CAS server hostnameport
CAS server port number. Defaults to 443.gateway
Send all validation requests through the CAS gateway feature. Defaults to false.paths
serviceValidate
Path to validate TGTproxyValidate
Path to validate PGT (not implemented)proxy
Path to obtain a proxy ticketlogin
Path to the CAS login
var cas = require('connect-cas');
var connect = require('connect');
connect()
.use(connect.cookieParser('hello world'))
.use(connect.cookieSession()) // or whatever session store
.use(cas.serviceValidate())
.use(cas.authenticate())
A more complete example of a simple Express app that uses CAS for login, displays the CAS username, and offers a logout link can be found in the example
folder. You'll need to copy example/app.js
to your own folder and install its dependencies:
npm install express
npm install connect-cas
Express is required only for the example app. It is not required for connect-cas
.
To proxy services, you can configure the serviceValidate
middleware like below:
connect()
...
.use(cas.serviceValidate({pgtUrl: '/pgtCallback'}))
.use(cas.proxyTicket({targetService: 'https://service-to-proxy/blah'});
...
The proxy granting ticket value will be available in req.session.pgt
and a hash of proxy tickets are available in req.pt
. You may then append that proxy ticket manually to the services you wish to proxy. To reuse the proxy tickets, see #25.
You may also pass in an absolute url if you wish for the pgtCallback to be in a separate app. If so, pass in an additional pgtFn
:
connect()
.use(cas.serviceValidate({pgtUrl: 'https://some-server.com/pgtCallback', pgtFn:function(pgtIou, cb){
// given the pgtIou, retrieve the pgtId however you can. Then call ...
cb(err, 'PGT-thepgtid');
}));
- If you are behind an https proxy, be sure to set
X-Forwarded-Proto
headers. Connect-cas uses it to infer its own location for redirection.
MIT