Different server urls used in initial call and validate

[robshep]

Hi,

I can't get a successful login because the "service" parameter is derived differently during the initial handoff and the later the backend ticket validation call.

In the first instance, the various configurables are used in the call to
phpCAS::setFixedServiceURL(...)

When the ticket is returned and the library makes a behind-the-scenes call to the cas server to it doesn't use include a call to phpCAS::setFixedServiceURL and derives the service differently.

In may case, dokuwiki is in a docker container behind a reverse proxy so there's a few things different (E.g. ports, paths, host) phpCAS just attempts to build it's url itself (but would use a configured $url if set previously)

I've attempted to include a call to setFixedServiceURL(...) before the validation process takes place, but the $login_url parameter is derived from dokuwiki's $QUERY global var.

Unfortunately $QUERY isn't set (in doku.php) until after trustExternal is called (where validation is attempted)

I've hit a roadblock in my own patching. Does anyone have any other suggestions or ways to get the same URL used in both places.?

[phy25]

It seems to be very difficult to use the same DokuWiki-standard mechanism in this case. Maybe it's better to adjust the reverse proxy to use the standard HTTP headers to pass the right domain:

https://github.com/apereo/phpCAS/blob/381dfdb4dd99b0cfe126e48ac85646521c61f1ab/source/CAS/Client.php#L3577-L3610

[pleutres]

Hi,
I think I faced the same problem today.

In auth.php, add the following option to phpCAS client init :

      if ($this->_getOption('serviceValidateUrl')) {
        phpCAS::setServerServiceValidateURL($this->_getOption('serviceValidateUrl'))
      }

Then add

$conf['serviceValidateUrl'] = "http://my-internal-ip/cas/validate";

This authorize to have :

• a public DNS for CAS login
• an internal DNS for CAS validation

It could be useful to forward the others phpCAS settings also