Master
Build Status: TBI
Develop
Build Status: TBI
OSF CAS is the centralized authentication and authorization service for the OSF and its services such as OSF Preprints and OSF Registries.
- OSF username and password login
- OSF username and verification key login
- OSF two-factor authentication
- Delegated authentication
- OAuth 2.0 client: supports ORCiD login
- CAS client: supports institution SSO using the CAS protocol
- SAML service provider: supports institution SSO using the SAML protocol
- OAuth 2.0 authorization server for OSF
- Authentication failure throttling
The implementation of OSF CAS is based on Apereo CAS 6.2.8 via CAS Overlay Template 6.2.x. Refer to CAS Documentation 6.2.x for more details.
A legacy version can be found at CAS Overlay, which was built on Jasig CAS 4.1.x via CAS Overlay Template 4.1.x.
- OSF CAS 21.2.x
- Apereo CAS
6.2.8
- PostgreSQL
9.6
- JDK
11
It is recommended to use the provided scripts to build and run CAS. Refer to Apereo README.md for more options.
Use cas.properties
and Dockerfile
to configure staging and production servers. Use cas-local.properties
and Dockerfile-local
for local development. To accelerate developing OSF CAS, use the reload script to rebuild, reconfigure and restart the running container.
OSF CAS requires a working OSF running locally. Refer to OSF README-docker-compose.md for how to set up and run OSF with docker-compose
. Must disable fakeCAS
to free port 8080
for CAS to use.
More specifically, CAS requires a running OSF PostgreSQL database to handle authentication for OSF. Use the authentication handler's JPA settings for OsfPostgresAuthenticationHandler
to connect to and access OSF DB.
Here is an example for local development. Use 192.168.168.167
to access host outside the docker container. Set readOnly=true
since CAS only needs read-only access (Principle of Least Privilege).
# In `cas.properties` or `cas-local.properties`
cas.authn.osf-postgres.jpa.user=postgres
cas.authn.osf-postgres.jpa.password=
cas.authn.osf-postgres.jpa.driver-class=org.postgresql.Driver
cas.authn.osf-postgres.jpa.url=jdbc:postgresql://192.168.168.167:5432/osf?targetServerType=master&readOnly=true
cas.authn.osf-postgres.jpa.dialect=io.cos.cas.osf.hibernate.dialect.OsfPostgresDialect
The implementation of OSF CAS uses the JPA Ticket Registry for durable ticket storage and thus requires a relational database. Set up a PostgreSQL@9.6
server and review JPA Ticket Registry settings. In most cases, only Database connections need to be updated. Other JDBC and JPA settings can be adjusted if necessary.
Here is an example for local development. Use 192.168.168.167
to access host outside the docker container. Use the port 54321
since the default 5432
one has been used by OSF DB. Update pg_hba.conf
to grant proper access permission depending on the setup.
# In `cas.properties` or `cas-local.properties`
cas.ticket.registry.jpa.user=longzechen
cas.ticket.registry.jpa.password=
cas.ticket.registry.jpa.driver-class=org.postgresql.Driver
cas.ticket.registry.jpa.url=jdbc:postgresql://192.168.168.167:54321/osf-cas?targetServerType=master
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.PostgreSQL95Dialect
# In `pg_hba.conf`
# TYPE DATABASE USER ADDRESS METHOD
host osf-cas longzechen 192.168.168.167/24 trust
- Refer to signing and encryption 1 in
cas.properties
for signing and encrypting client sessions and ticket granting cookies.
-
Refer to signing and encryption 2 in
cas.properties
for signing and encrypting OAuth 2.0 registered services. -
You can optionally enable OAuth JWT access tokens, which requires signing and encryption 3 to be configured.
Set empty values to the above keys and CAS will generate the key pairs automatically. The keys will be re-generated once server restarts. Follow the server warning logs for further actions.
To enable ORCiD login, update cas.authn.pac4j.orcid.id
and cas.authn.pac4j.orcid.secret
here in delegation settings accordingly.
For local development, set up a developer app at ORCiD with http://localhost:8080/login
and http://192.168.168.167:8080/login
as redirect URIs.
Details coming soon ...
Details coming soon ...
With OSF CAS running locally as the authentication server for OSF, the previously disabled fakeCAS
can be re-configured to serve as an identity provider. Simply update fakecas
in OSF's docker-compose.yaml to listen on port 8081
.
fakecas:
image: quay.io/centerforopenscience/fakecas:master
command: fakecas -host=0.0.0.0:8081 -osfhost=localhost:5000 -dbaddress=postgres://postgres@postgres:5432/osf?sslmode=disable
restart: unless-stopped
ports:
- 8081:8081
depends_on:
- postgres
stdin_open: true
Related cas.propeties
settings can be found here.
# In `cas-local.properties`
cas.authn.osf-postgres.institution-clients[2]=${cas.authn.pac4j.cas[2].client-name}
cas.authn.pac4j.cas[1].login-url=http://192.168.168.167:8081/login
cas.authn.pac4j.cas[1].client-name=osftype0
cas.authn.pac4j.cas[1].protocol=CAS30
cas.authn.pac4j.cas[1].callback-url-type=QUERY_PARAMETER
Details coming soon ...