New Symfony 7.1 CAS access token handler seems not to work #57390

benjamin-feron · 2024-06-13T17:31:58Z

benjamin-feron
Jun 13, 2024

Hi,

On this page, it is indicated that "Symfony 7.1 introduces a new CAS 2.0 access token handler".
I can't implement it.

I'm using Symfony 7.1.1 :

bin/console --version
Symfony 7.1.1 (env: dev, debug: true)

security.yaml :

security:
    role_hierarchy:
        ROLE_ADMIN: [ ROLE_USER ]
    providers:
        app_user_provider:
            entity:
                class: App\Entity\User
                property: username
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            provider: app_user_provider
            access_token:
                token_handler:
                    cas:
                        validation_url: https://auth.domain.tld/cas/validate

    access_control:
        - { path: ^/, roles: ROLE_ADMIN }

https://auth.domain.ltd/cas/validate is actually the real validation URL of my CAS server.

Result is code 401, I'm not redirected to the authentication form of CAS server :

My App\Entity\User entity was just generated with bin/console make:user.
If I disable access control rule, I see the controller response so route is working well.

Maybe I forgot something ?
Can anybody help me ?

MatTheCat · 2024-06-16T08:16:59Z

MatTheCat
Jun 16, 2024

Hello,

never used the cas token handler personally, but from your description it seems you’re simply missing an entry point?

0 replies

diam · 2024-07-10T15:18:16Z

diam
Jul 10, 2024

Hello,

Any new?
I'm also trying to use the new CAS 2.0 access token handler. But I haven't found enough examples!

0 replies

moobyfr · 2024-08-01T14:47:33Z

moobyfr
Aug 1, 2024

I have the same issue. It seems this tokenAuthentication needs more documentation to be used, and perhaps more code to allow easy usage for developers.

0 replies

moobyfr · 2024-08-05T07:11:40Z

moobyfr
Aug 5, 2024

I got the CAS access token working. Not sure it's the intended usage from the original author.
As @MatTheCat commented, the entry point is mandatory: You must define a service implementing AuthenticationEntryPointInterface

Moreover, the configuration is missing also a snippet:

                token_extractors:
                    - security.access_token_extractor.cas

You can find a working demo in my repo (adapt user from users_in_memories, and the CAS URL in the .env):

https://github.com/moobyfr/symfony7-demo-authcas

0 replies

diam · 2024-08-06T18:16:00Z

diam
Aug 6, 2024

Thank you very much @moobyfr for this comprehensive example.

I previously solved my one problem with a custom mixed authentication based on phpCAS.

But your solution is the simplest that can be written for a CAS only authentication,
and should be part of the official documentation.

The symfony example propose two routes:

"/" which en the public page and display a "Lucky Number" link
"/number" the "Lucky Number" page with CAS protection which display a random number

For those who want to try it out, here are the steps.

Download and install the demo from the @moobyfr previous reply

composer install

Update the two server urls in the .env file

CAS_URL="https://cas.domain.tld/cas/"
CAS_VALIDATE_URL="https://cas.domain.tld/cas/serviceValidate"

Il my case, I only had to update the two cas.domain.tld/cas pathes.

Add existing user in config/packages/security.yaml

Then add a new existing login (something jnown bu the CAS server)
in the users_in_memory provider.
(Just duplicate and update the foobar login line).

test with internal Symfony server

symfony serve

But phpCAS also allows you to obtain additional attributes from the CAS server
(for example, firstname, lastname and email) that I don't know how to get
from the symfony server.

0 replies

moobyfr · 2024-08-09T17:05:56Z

moobyfr
Aug 9, 2024

My demo code isn't complete, the logout route is mandatory for easyadmin for example , I have a basic fix for it.

The main problem is a 'while page' problem: when the service URL is redirected to another URL with 302, the authentication is broken.
I'm not even sure if this implementation of the token auth for CAS is usable.

The problem had also happened with my demo application, but I wasn't sure to be able to reproduce it.

Initial access to https://localhost/admin
Redirection to https://cas/login?service=https://localhost/admin
auth cas done
Redirection to https://localhost/admin?ticket=ST... (Auth is OK)
easyadmin redirects with a 302 to /admin?crudAction=index...&ticket=ST-1 -> 401 response

if I access again to the url without the ticket, all is ok

[Web Server ] Aug  9 19:53:58 |INFO   | SERVER GET  (302) /admin ip="127.0.0.1"
[Application] Aug  9 16:53:58 |INFO   | REQUES Matched route "admin". method="GET" request_uri="https://localhost:8000/admin" route="admin" route_parameters={"_controller":"App\\Controller\\Admin\\DashboardController::index","_route":"admin"}
[Application] Aug  9 16:53:58 |DEBUG  | SECURI Checking for authenticator support. authenticators=1 firewall_name="main"
[Application] Aug  9 16:53:58 |DEBUG  | SECURI Checking support on authenticator. authenticator="Symfony\\Component\\Security\\Http\\Authenticator\\AccessTokenAuthenticator"
[Application] Aug  9 16:53:58 |DEBUG  | SECURI Authenticator does not support the request.
[Application] Aug  9 16:53:58 |DEBUG  | SECURI Access denied, the user is not fully authenticated; redirecting to authentication entry point.
[Application] Aug  9 16:53:58 |DEBUG  | SECURI Calling Authentication entry point. entry_point={"App\\Security\\CasAuthenticatorEntryPoint":[]}
[Application] Aug  9 16:54:15 |INFO   | REQUES Matched route "admin". method="GET" request_uri="https://localhost:8000/admin?ticket=ST-165605-iYmOdJG-aJNraX1Mm82xDbx-qOo-ffb331732889" route="admin" route_parameters={"_controller":"App\\Controller\\Admin\\DashboardController::index","_route":"admin"}
[Application] Aug  9 16:54:15 |DEBUG  | SECURI Checking for authenticator support. authenticators=1 firewall_name="main"
[Application] Aug  9 16:54:15 |DEBUG  | SECURI Checking support on authenticator. authenticator="Symfony\\Component\\Security\\Http\\Authenticator\\AccessTokenAuthenticator"
[Web Server ] Aug  9 19:54:15 |INFO   | SERVER GET  (302) /admin?ticket=ST-165605-iYmOdJG-aJNraX1Mm82xDbx-qOo-ffb331732889 ip="127.0.0.1"
[Application] Aug  9 16:54:15 |INFO   | SECURI Authenticator successful! authenticator="Symfony\\Component\\Security\\Http\\Authenticator\\AccessTokenAuthenticator" token={"Symfony\\Component\\Security\\Http\\Authenticator\\Token\\PostAuthenticationToken":"PostAuthenticationToken(user=\"test.blindauer\", roles=\"ROLE_USER\")"}
[Application] Aug  9 16:54:15 |DEBUG  | SECURI Authenticator set no success response: request continues.
[Application] Aug  9 16:54:15 |DEBUG  | SECURI Stored the security token in the session. key="_security_main"
[Application] Aug  9 16:54:15 |INFO   | REQUES Matched route "admin". method="GET" request_uri="https://localhost:8000/admin?crudAction=index&crudControllerFqcn=App%5CController%5CAdmin%5CEventCrudController&ticket=ST-165605-iYmOdJG-aJNraX1Mm82xDbx-qOo-ffb331732889" route="admin" route_parameters={"_controller":"App\\Controller\\Admin\\DashboardController::index","_route":"admin"}
[Application] Aug  9 16:54:15 |DEBUG  | SECURI Read existing security token from the session. key="_security_main" token_class="Symfony\\Component\\Security\\Http\\Authenticator\\Token\\PostAuthenticationToken"
[Application] Aug  9 16:54:15 |DEBUG  | SECURI User was reloaded from a user provider. provider="Symfony\\Component\\Security\\Core\\User\\InMemoryUserProvider" username="test.blindauer"
[Application] Aug  9 16:54:15 |DEBUG  | SECURI Checking for authenticator support. authenticators=1 firewall_name="main"
[Application] Aug  9 16:54:15 |DEBUG  | SECURI Checking support on authenticator. authenticator="Symfony\\Component\\Security\\Http\\Authenticator\\AccessTokenAuthenticator"
[Web Server ] Aug  9 19:54:16 |WARN   | SERVER GET  (401) /admin?crudAction=index&crudControllerFqcn=App%5CController%5CAdmin%5CEventCrudController&ticket=ST-165605-iYmOdJG-aJNraX1Mm82xDbx-qOo-ffb331732889 ip="127.0.0.1"
[Application] Aug  9 16:54:16 |INFO   | SECURI Authenticator failed. authenticator="Symfony\\Component\\Security\\Http\\Authenticator\\AccessTokenAuthenticator"
[Application] Aug  9 16:54:16 |DEBUG  | SECURI The "Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator" authenticator set the failure response.
[Application] Aug  9 16:54:16 |DEBUG  | SECURI The "Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator" authenticator set the response. Any later authenticator will not be called
[Application] Aug  9 16:54:16 |DEBUG  | SECURI Stored the security token in the session. key="_security_main"

0 replies

benjamin-feron · 2024-08-17T08:24:40Z

benjamin-feron
Aug 17, 2024
Author

Hi,

Thank you all, I'll try this soon !

0 replies

benjamin-feron · 2024-09-19T21:04:38Z

benjamin-feron
Sep 19, 2024
Author

Well, thank you, I finally managed to implement native CAS authentication of Symfony 7.1.

.env :

###> cas ###
CAS_URL="https://auth.domain.tld/cas"
CAS_VALIDATE_PATH="/serviceValidate"
CAS_LOGIN_PATH="/login"
###< cas ###

.env.local :

###> cas ###
CAS_URL="https://my.domain.com/cas"
###< cas ###

services.yaml :

parameters:
    cas_url: '%env(CAS_URL)%'
    cas_validate_url: '%cas_url%%env(CAS_VALIDATE_PATH)%'
    cas_login_url: '%cas_url%%env(CAS_LOGIN_PATH)%'
services:
    security.access_token_extractor.cas:
        class: Symfony\Component\Security\Http\AccessToken\QueryAccessTokenExtractor
        arguments:
            - 'ticket'
    App\Security\CasAuthenticatorEntryPoint:
        arguments:
            $casLoginUrl: '%cas_login_url%'

security.yaml :

security:
    firewalls:
        main:
            pattern: ^/
            provider: app_user_provider
            access_token:
                token_handler:
                    cas:
                        validation_url: '%cas_validate_url%'
                token_extractors:
                    - security.access_token_extractor.cas
            entry_point: App\Security\CasAuthenticatorEntryPoint

CasAuthenticatorEntryPoint.php :

<?php

namespace App\Security;

use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;

class CasAuthenticatorEntryPoint implements AuthenticationEntryPointInterface
{
    private string $casLoginUrl;

    public function __construct(string $casLoginUrl)
    {
        $this->casLoginUrl = $casLoginUrl;
    }

    public function start(Request $request, AuthenticationException $authException = null): Response
    {
        $redirectUrl = sprintf('%s?service=%s', $this->casLoginUrl, urlencode($request->getUri()));

        return new RedirectResponse($redirectUrl);
    }
}

Authentication works well but once logged in, the CAS ticket is retained in the URI.
To clean the URI I use this workaroud :

CasAuthenticatorListener.php :

<?php

namespace App\Security;

use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\Security\Http\Event\LoginSuccessEvent;

#[AsEventListener(event: LoginSuccessEvent::class, method: 'onLoginSuccessEvent')]
final class CasAuthenticatorListener
{
    public function onLoginSuccessEvent(LoginSuccessEvent $event): void
    {
        $request     = $event->getRequest();
        $scheme      = $request->getScheme();
        $port        = $request->getPort();
        $queryParams = $request->query->all();

        $portString = '';
        if (
            ($scheme === 'http'  && $port !== 80) ||
            ($scheme === 'https' && $port !== 443)
        ) {
            $portString = ':'.$port;
        }

        unset($queryParams['ticket']);
        $queryString = count($queryParams) ? '?'.http_build_query($queryParams) : '';
        
        $uri = sprintf(
            '%s://%s%s%s%s',
            $scheme,
            $request->getHost(),
            $portString,
            $request->getPathInfo(),
            $queryString
        );
        
        $event->setResponse(new RedirectResponse($uri));
    }
}

Thanks again !

0 replies

benjamin-feron · 2024-09-20T07:10:48Z

benjamin-feron
Sep 20, 2024
Author

Simplified version of CasAuthenticatorListener.php :

<?php

namespace App\Security;

use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\Security\Http\Event\LoginSuccessEvent;

#[AsEventListener(event: LoginSuccessEvent::class, method: 'onLoginSuccessEvent')]
final class CasAuthenticatorListener
{
    public function onLoginSuccessEvent(LoginSuccessEvent $event): void
    {
        $request = $event->getRequest();
        
        $request->query->remove('ticket');
        $request->overrideGlobals();

        $event->setResponse(new RedirectResponse($request->getUri()));
    }
}

0 replies

moobyfr · 2024-09-22T07:47:55Z

moobyfr
Sep 22, 2024

I've updated the demo application with your code, thank you!

0 replies

benjamin-feron · 2024-09-23T09:21:43Z

benjamin-feron
Sep 23, 2024
Author

As @diam said, CAS also allows you to obtain additional attributes from the CAS server (for example, firstname, lastname, email, etc.).
My CAS server is configured to pass some attributes but I don't know how to get them.
I've tried methods getAttribute()/getAttributes() of token class from CasAuthenticatorListener.php :

$event->getAuthenticatedToken()->getAttributes()

This array is empty.
Does anyone know how to do it ?

0 replies

benjamin-feron · 2024-09-23T10:16:31Z

benjamin-feron
Sep 23, 2024
Author

- reply to myself -

I successfully retrieve additional attributes from the CAS server with this patch :

vendor/symfony/security-http/AccessToken/Cas/Cas2Handler.php :

    /**
     * @throws AuthenticationException
     */
    public function getUserBadgeFrom(string $accessToken): UserBadge
    {
        $response = $this->client->request('GET', $this->getValidationUrl($accessToken));

        $xml = new \SimpleXMLElement($response->getContent(), 0, false, $this->prefix, true);

        if (isset($xml->authenticationSuccess)) {
            // START PATCH
            // - before -
            // return new UserBadge((string) $xml->authenticationSuccess->user);
            // - after -
            $attributes = isset($xml->authenticationSuccess->attributes) ? (array) $xml->authenticationSuccess->attributes : [];
            return new UserBadge((string) $xml->authenticationSuccess->user, null, $attributes);
            // END PATCH
        }

        if (isset($xml->authenticationFailure)) {
            throw new AuthenticationException('CAS Authentication Failure: '.trim((string) $xml->authenticationFailure));
        }

        throw new AuthenticationException('Invalid CAS response.');
    }

We can now get attributes from listener :
CasAuthenticatorListener.php :

[...]
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
[...]
public function onLoginSuccessEvent(LoginSuccessEvent $event): void
{
    $attributes = $event->getPassport()->getBadge(UserBadge::class)->getAttributes();
    [...]
}

But I don't know if the attributes property of UserBadge class is supposed to contain the CAS attributes...

2 replies

nxtpge Nov 9, 2025

Hello @benjamin-feron. For your information, a pull request similar to your solution is open.

benjamin-feron Nov 10, 2025
Author

Thank you @nxtpge

Uh oh!

New Symfony 7.1 CAS access token handler seems not to work #57390

Uh oh!

Uh oh!

Replies: 12 comments · 2 replies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

benjamin-feron Aug 17, 2024 Author

Uh oh!

Uh oh!

benjamin-feron Sep 19, 2024 Author

Uh oh!

benjamin-feron Sep 20, 2024 Author

Uh oh!

Uh oh!

Uh oh!

benjamin-feron Sep 23, 2024 Author

Uh oh!

Uh oh!

benjamin-feron Sep 23, 2024 Author

Uh oh!

Uh oh!

Uh oh!

benjamin-feron Nov 10, 2025 Author

Replies: 12 comments 2 replies

benjamin-feron
Aug 17, 2024
Author

benjamin-feron
Sep 19, 2024
Author

benjamin-feron
Sep 20, 2024
Author

benjamin-feron
Sep 23, 2024
Author

benjamin-feron
Sep 23, 2024
Author

benjamin-feron Nov 10, 2025
Author