Hello,

I am adding the bundle to an existing project (Symfony 5.3) with existing users based on the default Symfony user entities.

So far I am able to protect the pages I want with a CAS auth, being redirected to the CAS server and then back to my app with the security token validated. In the Symfony profiler toolbar I can see the user I used on the CAS server as authenticated with the role "ROLE_CAS_AUTHENTICATED".

However my app then fails because I'm using methods to get user preferences ($this->getUser()->getPrefs();) which obviously aren't implemented in the CasUser class (Attempted to call an undefined method named "getTexts" of class "EcPhp\CasBundle\Security\Core\User\CasUser"). The current provider loads my users via their email attribute (and the CAS server I'll use will only return the email when auth is successful).

Is there any way to specify which User entity to load when authentication is ok ? And can it be done with some configuration options or do I need to write a couple of specific files (providers etc ...)

Thank you and thanks for your work : )

How can I load the user roles from a CAS attribute? I'm currently only getting the standard role "ROLE_CAS_AUTHENTICATED".
Thank you for the nice bundle.

When trying to replace Symfony routes to URL, it might throws when the route does not exist.

It should silently fail.

Steps required to reproduce the problem

Expected Result

Actual Result

Hello @drupol ,

I noticed that you have released a new major version of the bundle, so I wanted to see if the modifications could be easily integrated into our applications.

After a few tweaks (because we're overriding some of your bundle's functionalities), it seems to work.

I have a small question regarding the attributes returned by CAS.

The table returned doesn't seem "normalized".

Example of attributes with version ^2.5:

[
  "mail" => "[email protected]",
  "displayName" => "Toto TOTO",
  // ...
]

Attributes with version ^3.0 :

[
  "mail" => [
     0 => "[email protected]"
  ],
  "displayName" => [
     0 => "Toto TOTO"
  ],
  // ...
]

Is there a method, such as passing a parameter to the login function, to normalize attributes? I could certainly extend my User class or modify the constructor, but I wonder if the CAS library could handle this normalization internally?

Thanks

It would be nice to have a custom User-Agent header when doing requests.

Right now we have the default string: Symfony HttpClient/Curl, but it would be nice to have something like: CasBundleV1/Symfony HttpClient/Curl.

In https://github.com/ecphp/cas-bundle/blob/2.4.5/src/Security/CasAuthenticator.php#L49

The constructor has a comma in the last parameter

Hello,

I was looking at what's new in Symfony 7 and trying to upgrade a small project on it, and I'm stuck because I'm using your bundle which depends on ^6.1 versions of Symfony bundles.

Nothing urgent, but is an update planned?

Hi I'm coming back to this after failing to do so with issue #73. I think us being on PHP 7.4 at the time and Symfony 5.4 may have contributed, or I may have misconfigured the security config.

Either way, I successfully have it working now however I'd like to use a custom user provider.

We have a shared bundle across all our internal apps which includes a custom user class giving us access to many of our internal-specific user functionality.

When I've used PRayno/casauth-bundle I was able to use its authenticator without using its provider. More recently just wrapped phpCAS into Symfony I was able to do this but I'm finding occasionally my custom wrapper is a bit janky.

This bundle is hard-coding the CasUserProvider into the CasAuthenticator.

Sorry if I'm not being clear, short version:
I want to use the CasAuthenticator class, but I want to provide my own User and UserProvider classes.

Is this possible?

Hello, not a bug but a question.
I use actually l3/cas-bundle and the locale "sticky" during user's session doesn't work (see doc for example : https://symfony.com/doc/5.4/session.html#making-the-locale-sticky-during-a-user-s-session). Have you try this feature on your bundle ? and if yes, does it work ?
Thank in advance.

Steps required to reproduce the problem

1. Make request to API via Ajax as non-authenticated user

Expected Result

• 401 Unauthorized

Actual Result

• 302

Steps required to reproduce the problem

1. Using a browser fetch (axios, etc) make an API call to a secured route
2. Secured route redirects to CAS even when the user is already logged in
3. API call fails

Expected Result

• If already logged in skip the 302 redirect

Actual Result

• API call fails

Is every secured route redirected to CAS even when the user is logged in? When making an API call from the browser to a route that is secured it fails because the API call is being redirected to CAS. Is there a workaround for this or is this library not suitable for securing API endpoints?

Description

The Guards have been removed in Symfony 6.0.
The CasGuardAuthenticator should be migrated to something like "CasCustomAuthenticator" using the new "custom authenticator".

Expected Result

• Be compatible with Symfony 6.0 (and 5.4)
• The new Authenticator should not be "final", it will be convenient to be able to "extends" in the code if needed.

We currently need to rely on sensio/framework-extra-bundle to provide the necessary interface wiring to the nyholm/psr7 package.

Since the new version 6, those wiring are now gone.

We need to find a way to continue using this package without sension/framework-extra-bundle.

Relates to ajgarlag/psr-http-message-bundle#5

I'm developing a Symfony 5.4 application

composer require ecphp/cas-bundle loophp/psr-http-message-bridge-bundle

Unfortunately we are stuck on PHP 7.4 at the moment so I can't run the latest version of this bundle which may be fixed. Composer is giving me ecphp/cas-bundle 2.4.2.

"Cannot use ecphp/cas-bundle's latest version 2.5.1 as it requires php >= 8.0.2 which is not satisfied by your platform."

Executing script cache:clear [KO]
 [KO]
Script cache:clear returned with error code 1
!!  
!!  In DefinitionErrorExceptionPass.php line 54:
!!                                                                                 
!!    Cannot autowire service "Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFacto  
!!    ry": argument "$serverRequestFactory" of method "__construct()" references   
!!    interface "Psr\Http\Message\ServerRequestFactoryInterface" but no such serv  
!!    ice exists. Did you create a class that implements this interface?           
!!                                                                                 
!!  
!!  
Script @auto-scripts was called via post-update-cmd

Sorry I know this isn't a lot of info to go on but is there perhaps a missing dependency?

Hi ,
I can authenticate using simple cas auth, but the auth with proxy doesn't work.
I have this issue
{"body":"{"serviceResponse":{"authenticationFailure":{"code":"INVALID_PROXY_CALLBACK","description":"The supplied proxy callback url 'https:\/\/localhost:8001\/cas\/proxy\/callback' could not be authenticated. Either 'https:\/\/localhost:8001\/cas\/proxy\/callback' cannot be reached, it is not allowed to exercise proxy authentication."}}}"}
Path of service:

• https://heroku-cas-server.herokuapp.com/cas/login?service=https%3A%2F%2Flocalhost%3A8001%2F%3Frenew%3Dtrue

In Symfony 5.1, the security and especially the Guard system has been revamped.

Read:

• https://symfony.com/blog/new-in-symfony-5-1-updated-security-system
• http://wouterj.nl/2020/04/authenticators-new-symfony-security

This issue is to keep track of the evolution and compatibility of this package with Symfony 5.1.

I had a conversation with @wouterj on Slack and this is the outcome:

• Deprecated the custom Guard provided by this package, deprecated in favor of the new system.
• Both mechanism will be available in until the Guards are removed from Symfony (removed in Symfony 6)

Hi,

I was looking at the changes you are currently doing to your bundle,
and I noticed you were tagging on 2.4.* and in December you were on 2.5.*

Is this intentional?

Hello there!

My name is Ana. I noted that you use the mutation testing tool infection in the project.
I am a postdoctoral researcher at the University of Seville (Spain), and my colleagues and I are studying how mutation testing tools are used in practice. With this aim in mind, we have analysed over 3,500 public GitHub repositories using mutation testing tools, including yours! This work has recently been published in a journal paper available at https://link.springer.com/content/pdf/10.1007/s10664-022-10177-8.pdf.

To complete this study, we are asking for your help to understand better how mutation testing is used in practice, please! We would be extremely grateful if you could contribute to this study by answering a brief survey of 21 simple questions (no more than 6 minutes). This is the link to the questionnaire https://forms.gle/FvXNrimWAsJYC1zB9.

Drop me an e-mail if you have any questions or comments ([email protected]). Thank you very much in advance!!

Hello, I am trying to develop a small web app that should require the user to be connected using the CAS authenticator in order to access protected ressources.

However, I don't really understand how to redirect the user to the CAS login page since there is no entry point used in the security.yaml file.
I followed the instructions specified here : https://ecphp-cas-bundle.readthedocs.io/en/latest/pages/installation.html
However, i am not redirected direclty to the CAS login page.

Is there a class that acts as an entry point in the bundle or should I create one myself?

My security.yaml file :

security:
 enable_authenticator_manager: true
 firewalls:
  dev:
    pattern: ^/(_(profiler|wdt)|css|images|js)/
    security: false
   main:
   lazy: true
   # provider: users_in_memory
    custom_authenticator:
     - EcPhp\CasBundle\Security\CasAuthenticator
 access_control:
   - { path: ^/securedRessource, role: ROLE_CAS_AUTHENTICATED }
 providers:
  # used to reload user from session & other features (e.g. switch_user)
  app_user_provider:
   entity:
     class: App\Entity\User
     property: email

Thank you for the reply.

Only internal users of the commission can be authenticated, when you are an external user (SELF_REGISTERED) you get this response from the EULogin servers :

"response" => "{"serviceResponse":{"authenticationFailure":{"@value":"Invalid user: "n002a0t6" belongs to "SELF_REGISTERED" users while application accepts only "INTERNAL" users or users with higher assurance levels","@attributes":{"code":"INVALID_USER"}},"@attributes":{"server":"EU Login PRODUCTION_GENESIS version 8.0.2.33926 - 07/09/2020 - 15:00","date":"2020-10-06T17:33:05.885+02:00","version":"5.8"}}}"

it looks like we miss the assuranceLevel Parameter to allow such authentication.

Steps required to reproduce the problem

1. Registered to EULogin with a new user
2. Authenticate to a symfony app using cas-bundle

Expected Result

Authentication success

Actual Result

Authentication failure

Hi,
I'm using proxy authnetication with herokuapp and after the validation of proxy , i get tis error

[2021-10-25T15:51:25.637162+00:00] http_client.INFO: Response: "200 https://heroku-cas-server.herokuapp.com/cas/p3/proxyValidate?ticket=ST-14-k9SebkLJWwYebTLCeUrJI6qMzX4-44ffe579-5460-458c-a59f-b7bfd1c70940&foo=bar&format=JSON&pgtUrl=https%3A%2F%2Fpreprod-portal.fr%2Fcas%2Fproxy%2Fcallback&service=https%3A%2F%2Fpreprod-portal.fr%2Fhome" [] []
[2021-10-25T15:51:25.638824+00:00] app.DEBUG: Response normalization succeeded. {"body":"{"serviceResponse":{"authenticationSuccess":{"user":"casuser","proxyGrantingTicket":"PGTIOU-14-SC5RWIh77kntu-Xx-EqrsvtPliKIU4entQhA4AlZoGUnB1Q3HcfuyWxBb5Sgvo-mu-Q-44ffe579-5460-458c-a59f-b7bfd1c70940","attributes":{"credentialType":["UsernamePasswordCredential"],"isFromNewLogin":[true],"authenticationDate":[1635172773.733528],"authenticationMethod":["Static Credentials"],"successfulAuthenticationHandlers":["Static Credentials"],"longTermAuthenticationRequestTokenUsed":[false]}}}}"} []
[2021-10-25T15:51:25.640360+00:00] app.ERROR: CAS validation failed: pgtIou not found in the cache. {"pgtIou":"PGTIOU-14-SC5RWIh77kntu-Xx-EqrsvtPliKIU4entQhA4AlZoGUnB1Q3HcfuyWxBb5Sgvo-mu-Q-44ffe579-5460-458c-a59f-b7bfd1c70940"} []
[2021-10-25T15:51:25.641120+00:00] app.ERROR: Unable to authenticate the user. [] []
[2021-10-25T15:51:25.641987+00:00] security.INFO: Authenticator failed. {"exception":"[object] (Symfony\Component\Security\Core\Exception\AuthenticationException(code: 0): Unable to authenticate the user with such service ticket. at /var/www/vhosts/preprod-portal.fr/git/portal/vendor/ecphp/cas-bundle/src/Security/CasGuardAuthenticator.php:78)","authenticator":"Symfony\Component\Security\Guard\Authenticator\GuardBridgeAuthenticator"} []
[2021-10-25T15:51:25.643019+00:00] security.DEBUG: The "Symfony\Component\Security\Guard\Authenticator\GuardBridgeAuthenticator" authenticator set the failure response. {"authenticator":"Symfony\Component\Security\Guard\Authenticator\GuardBridgeAuthenticator"} []
[2021-10-25T15:51:25.643371+00:00] security.DEBUG: The "Symfony\Component\Security\Guard\Authenticator\GuardBridgeAuthenticator" authenticator set the response. Any later authenticator will not be called {"authenticator":"Symfony\Component\Security\Guard\Authenticator\GuardBridgeAuthenticator"}

Could you help us solve this problem please?

Regards

hi,

i got a error using this bundle.

Steps required to reproduce the problem

1. fresh install of symfony (symfony new my_project_name --full)
2. create one controller
3. install "ecphp /cas-bundle" following installation doc
4. visit the website.

Actual Result

• HTTP 500 Internal Server Error
  You are not allowed to define new elements for path "security.firewalls". Please define all elements for this path in one config file.

Thanks.

Steps required to reproduce the problem

Is there a way to use another provider than the cas provider such as user provider or ldap provider?

providers:
    user_provider:
        entity:
            class: 'App\Entity\User'
            property: username

    main:
        provider: user_provider

The PR sensiolabs/SensioFrameworkExtraBundle#688 has been merged today and @fabpot released a new version of its package.

We need to update the composer.json file and remove the now obsolete lines from the services.php file.

Steps required to reproduce the problem

1. Visit a secured URL based on access control in security.yaml
2. Redirected to CAS instance for login
3. After logging into CAS it is redirected to secured URL (but ONLY if I omit the login/default_parameter/service in cas_bundle.yaml but that's a different issue I'm running into)
4. Visit the /cas/logout page
5. Redirected to the logout service route
6. Visit the secured URL again and the login session is maintained and the user is not redirected to CAS

Expected Result

• After a logout the user should be redirected to login again when visiting a secured URL

Actual Result

• The secured URL is shown again after logout - the $this->getUser() still shows the user data after logging out

I could be doing something stupid since this is my first time trying to work with CAS and this library but I can't figure out why a secured URL is not requiring me to login again after visiting the /cas/logout URL.

EDIT:

Just to add it looks like I can invalidate the session myself using the standard Symfony logout and I can then redirect to /cas/logout as a target using something like this in security.yaml:

        main:
            ...
            logout:
                path: app_logout
                target: cas_bundle_logout

Is this the intended use case for logging out or should /cas/logout invalidate the session? Having to do it in the app itself and then redirecting via target to /cas/logout to also log out seems to be a bit clumsy (but it does seem to work).

Symfony version: 5.4
ecphp/cas-bundle: 2.4

Steps required to reproduce the problem

I'm using Symfony version 6.3 and PHP version 8.2. After installing the bundle, I encountered this error during cache clearing.
I had to downgrade the psr/http-message version to 1.1 in order to be able to install it.

Actual Result

• !! Cannot autowire service "Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory": argument "$serverRequestFactory" of method "__construct()" references interface "Psr\Http\Message\Se
  !! rverRequestFactoryInterface" but no such service exists. Did you create a class that implements this interface?

Steps required to reproduce the problem

1. Create a new Symfony project
   symfony new myproject --version="6.2.*" --webapp
2. Install the bundle
   composer require ecphp/cas-bundle

Result

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - ecphp/cas-bundle[2.5.0, ..., 2.5.4] require ecphp/cas-lib 1.1.* -> satisfiable by ecphp/cas-lib[1.1.0, ..., 1.1.9].
    - ecphp/cas-lib[1.1.0, ..., 1.1.7] require psr/cache ^1.0.1 -> found psr/cache[1.0.1] but the package is fixed to 3.0.0 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.
    - ecphp/cas-lib[1.1.8, ..., 1.1.9] require psr/http-factory-implementation ^1 -> could not be found in any version, but the following packages provide it:
      - guzzlehttp/psr7 PSR-7 message implementation that also provides common utility methods
      - nyholm/psr7 A fast PHP7 implementation of PSR-7
      - http-interop/http-factory-guzzle An HTTP Factory using Guzzle PSR7
      - laminas/laminas-diactoros PSR HTTP Message implementations
      - zendframework/zend-diactoros PSR HTTP Message implementations
      - slim/psr7 Strict PSR-7 implementation
      - typo3/cms-core TYPO3 CMS Core
      - tuupola/http-factory Lightweight autodiscovering PSR-17 HTTP factories
      - nimbly/capsule Capsule is a simple PSR-7 HTTP message and PSR-17 HTTP factory implementation.
      - httpsoft/http-message Strict and fast implementation of PSR-7 and PSR-17
      - mileschou/psr The support library for PSR
      - oro/platform Business Application Platform (BAP)
      - sunrise/http-message HTTP message wrapper for PHP 7.4+ based on RFC-7230, PSR-7 and PSR-17
      - php-extended/php-http-message-factory-psr17 An implementation of the psr-17 based on the php-http-message-psr7 library
      - typo3/cms TYPO3 CMS is a free open source Content Management Framework initially created by Kasper Skaarhoj an
      - windwalker/uri Windwalker Uri package
      - bittyphp/http PSR-7 and PSR-17 HTTP implementation.
      - yiisoft/psr-dummy-provider PSR Dummy Provider
      - http-interop/http-factory-diactoros An HTTP Factory using Zend Diactoros
      - sunrise/http-factory HTTP factory for PHP 7.1+ based on PSR-17
      ... and 51 more.
      Consider requiring one of these to satisfy the psr/http-factory-implementation requirement.
    - Root composer.json requires ecphp/cas-bundle ^2.5 -> satisfiable by ecphp/cas-bundle[2.5.0, ..., 2.5.4].

Potential causes:
 - A typo in the package name
 - The package is not available in a stable-enough version according to your minimum-stability setting
   see <https://getcomposer.org/doc/04-schema.md#minimum-stability> for more details.
 - It's a private package and you forgot to add a custom repository to find it

Read <https://getcomposer.org/doc/articles/troubleshooting.md> for further common problems.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

Installation failed, reverting ./composer.json and ./composer.lock to their original content.

Scenario

• a buggy request is "redirected" to the Symfony\Component\HttpKernel\Controller\ErrorController
• the kernel handles the subrequest and ends up in the Symfony\Component\HttpKernel\HttpKernel::finishRequest() method where the Request is popped from the RequestStack
• then the kernel ends up in the Symfony\Component\HttpKernel\HttpKernel::terminate() method where the KernelEvents::TERMINATE event is dispatched
• during the process, the Symfony\Component\HttpKernel\EventListener\ProfilerListener collects (among others) the "not called listeners"
• this triggers constructing all listeners which have not been called during the request lifecycle

If for some reason you have registered an EventListener or an EventSubscriber which depends on the EcPhp\CasLib\Cas service, this will trigger an exception because it depends on the Psr\Http\Message\ServerRequestInterface service (1st argument) which is created using a service factory here. But it turns out that this service is injected the symfony.request which is the current request of the RequestStack (see here). And as described in the scenario, in this case the Request has been popped from the RequestStack which means that RequestStack::getCurrentRequest() will return null. Injecting null instead of a Request in the Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface::createRequest() factory method which requires a non nullable Request object as 1st parameter will then trigger an exception.

I believe injecting a Request object directly in a service is discouraged by Symfony because of this kind of scenario. They recommend to inject the RequestStack instead, and get the (current) request at runtime.
Anyway, because the Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface::createRequest() requires a non nullable Request object and the RequestStack::getCurrentRequest() returns a Request or null, it should definitely not be used to provide the request to the mentionned method.

I have to admit that I don't know how to get around that issue, but maybe you will because you definitely know your project better than I do. However I am ready to help if you need.

Steps to reproduce

• create an event listener

<?php

namespace App\EventListener;

use EcPhp\CasLib\CasInterface;

final class LogoutListener
{
    public function __construct(private CasInterface $cas)
    {
    }

    public function __invoke(): void
    {
        $this->cas->logout();
    }
}

• register it

services:
  App\EventListener\LogoutListener:
    tags: [{ name: 'kernel.event_listener', event: 'Symfony\Component\Security\Http\Event\LogoutEvent', priority: 128 }]

• check it

$ bin/console debug:event-dispatcher Symfony\\Component\\Security\\Http\\Event\\LogoutEvent

In PsrHttpFactory.php line 49:
                                                                                                                                                                                                                                             
  Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory::createRequest(): Argument #1 ($symfonyRequest) must be of type Symfony\Component\HttpFoundation\Request, null given, called in /app/var/cache/dev/ContainerTUsuQ6W/getCasService.ph  
  p on line 34