Re: [belenios-discuss] Keycloak CAS fails with 502 error

[Stéphane Glondu <stephane.glondu AT inria.fr>]

Hello,

Le 06/04/2021 à 15:44, Alban Bruder a écrit :
> I am trying to create an election with Belenios and CAS via the
> following Keycloak plugin.
> (https://github.com/jacekkow/keycloak-protocol-cas)
> 
> If authentication is successful, the Keycloak endpoint
> https://your.keycloak.host/auth/realms/master/protocol/cas/validate
> returns the response string "yes". However, Belenios terminates with a
> "502 - Bad Gateway" error. The problem occurs in the public demo as well
> as in my private instance. Unfortunately I'm not an OCAML expert but the
> corresponding position in the code should be the following
> (https://gitlab.inria.fr/belenios/belenios/-/blob/master/src/web/web_auth_cas.ml#L97).
> 
> 
> Does anyone have any idea how we can solve this problem?

Belenios implements the CAS 1.0 protocol:

https://apereo.github.io/cas/5.2.x/protocol/CAS-Protocol-V2-Specification.html#24-validate-cas-10

In the validate endpoint, the response string "yes" should be followed
by (a newline and) the login being authenticated. Is it indeed returned
by your CAS server?

Looking at:

https://github.com/jacekkow/keycloak-protocol-cas/blob/master/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java

it seems that just "yes" is returned. How is one supposed to know who
has been authenticated in this case?


Cheers,

-- 
Stéphane