Simple situation. Suppose there are several applications:

user.war // frontend admin.war // frontend portal.war // frontend rest-api.war // REST API

... who need SSO, so that the user can, once logged in, work with them all with the appropriate ACLs. In client applications there is essentially nothing but JS code, they access the API and display the data received.

So CAS works well between client applications. Well, because they support HTTP redirects. As for working with REST, everything is more complicated. I have the impression that the authors of CAS about REST and stateless have never heard of.

As far as can be understood from the fragmentary documentation, in order to use CAS for the REST API, PGT was invented. Those. One of the frontend applications should act as a proxy for the API. In-oot this will be Web Flow . At the same time, the frontend application itself can also be a reverse proxy, and then there will already be two proxies. And most importantly, if there are several front-end applications, it is not known in which of them the user has logged in.

In this connection, the question is: for the above yuzkeys, what would you advise to use or use in production? Or maybe I misunderstood everything and CAS is really good.

  • one
    There are notes that everything works fine. After a little refinement file. - Sergey
  • @Sergey Yes, I already figured out what was going on. It can not work. Because the proxy for accessing the frontend to the REST API is necessary to write yourself :) Unlike OAuth2, for example, for which there is an implementation of the API Gateway in Spring Cloud. I think this will be the decisive factor, because Jasig CAS is unstable (2 bug caught), overloaded with unnecessary functions, and its WEB UI immediately goes to the garbage, thanks to the "ingenious" decision of developers to take all the JS libraries via CDN. While the OAuth2 provider rises from Spring Boot in 30 minutes. There is still the truth SAML, but it looks like shit mammoth. - enzo
  • one
    Is the server keycloak.jboss.org good? - Sergey
  • @Sergey Thank you! Yes, good documentation + screencasts + demo + standalone version. It will be necessary to try to play. - enzo

0