Using CAS authentication provider


#1

I’ve been working with Phabricator for several weeks now, and I’m at the point where I’d like to move forward with it inside of our organization. We’re a university and primarily use CAS for our authentication. I found a Phabricator CAS authentication provider, but it hasn’t been updated since 2013 and I’ve only had marginal success getting it to work. I’d be more confident in saying it was just a lack of understanding on my part (still a likely cause of my problems) if it weren’t such a long time since there had been any commits or issues on the project.

Is anyone else using Phabricator and CAS?


#2

Sorry, I haven’t heard of anyone using this provider (and I actually had to google what CAS is). I spent 30 seconds skimming the implementation you linked to and nothing obviously wrong leapt out at me. If you want to see an example of a relatively modern auth provider implementation that’s supported by the upstream and doesn’t use OAuth, check out the LDAP provider: https://secure.phabricator.com/source/phabricator/browse/master/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php

One thing I did notice is that the CAS implementation for renderLoginForm is using some very old UI patterns that may or may not work any more in the current version of Phabricator. If everything seems to be working in your environment except that the login dialogue doesn’t render at all or looks totally broken, I’d probably start looking at making the CAS renderLoginForm look more like the modern LDAP provider: https://secure.phabricator.com/source/phabricator/browse/master/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php$66

If you do get it working, be aware that the upstream has very little interest in supporting any additional authentication providers, so be prepared to maintain this extension in your environment indefinitely. On the other hand, the API for authentication providers has been stable for a long time, because this is an area where we expect users to add their own extensions. Finally, since the entire CAS adapter implementation is only a few hundred lines, it might be faster to start a new extension from scratch using the documentation here, and then copying over the relevant lines from the old project: https://secure.phabricator.com/book/phabcontrib/article/adding_new_classes/#creating-libraries


#3

Thanks for the quick reply, and for the useful tips.

CAS has a foothold in higher education and is the preferred integration with authentication services at our university. I was cautiously optimistic that the plugin I found would work, but I suspected that it also might be a bit stale, as you’ve confirmed.

I totally understand and am sympathetic to your point about not wishing to undertake support for CAS. I was mostly looking to see if anyone had been using the service “in the wild” and might have put some effort into keeping it current. Institutionally, we do have some resources to put toward updating or building something (although we’d welcome help from anyone else wishing to contribute–contact me directly if you can). It doesn’t seem like rocket science, and Fabricator’s framework for constructing an auth provider was pretty straightforward to follow, so I’m going to take a stab at it.


#4

By way of an update, I’ve got a working prototype. :grin:

The biggest problem I had, actually, was that Apache seems to ignore the Content-Security-Policy headers generated by Phabricator. Since the login button was directing the user to another site, the browser would “eat” the redirect request and the rest of the login process was aborted.

I have some cleanup to do, but I’ll post it on GitHub (at least until I’m ready to host repos on our Phabricator instance!