It also supports custom client properties to be issued as claims for access tokens obtained via client_credentials.
- Build with
gradle war. - Use docker-compose bundle at
/docker/castom:
$ cd /docker/castom
$ docker-compose up- Add
casentry for cas-container to/etc/hosts, e.g.:
$ docker-inspect castom_cas_1 | grep IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "",
"IPAddress": "172.21.0.3",
$ echo "172.21.0.3 cas" >> /etc/hostsYou may need to change this entry after every docker-compose up.
4. Login to management app at http://localhost:8445/cas-management using
default credentials casuser/Mellon.
5. Add an OIDC client:
- Redirect uri can be arbitrary.
- Use a single space as jwks uri.
- Encryption algorithms do not matter.
- Add your extra claim into as a property. It will be seen in userinfo url (cas/oidc/profile).
- If you want ID-tokens to contain the claim, add it to
cas.authn.oidc.claimsinapplication.yml, e.g.:
cas.authn.oidc.claims: org,sub,name,preferred_username,family_name
- Try obtaining tokens via client_credentials grant. See https://tools.ietf.org/html/rfc6749#section-4.4.
- You can introspect tokens via https://tools.ietf.org/html/rfc7662#section-2 and read userinfo via http://openid.net/specs/openid-connect-core-1_0.html#UserInfo (note that http://cas:8080/cas/oidc/.well-known defines userinfo endpoint to be at cas/oidc/profile).
- Debug id-token claims using https://jwt.io/ .
See docker/prodhttpd for an example with dockerized apache server and docker/prod for an example that would use an external apache server.
- Copy both wars to
warssubfolder. docker-compose up -d
External apache conf sample (excerpt):
ProxyPass /cas ajp://localhost:8209/cas
ProxyPassReverse /cas ajp://localhost:8209/cas
ProxyPass /cas-management ajp://localhost:8219/cas-management
ProxyPassReverse /cas-management ajp://localhost:8219/cas-management