{"id":22147235,"url":"https://github.com/centerforopenscience/osf-cas","last_synced_at":"2025-07-26T02:31:40.292Z","repository":{"id":37576162,"uuid":"292596988","full_name":"CenterForOpenScience/osf-cas","owner":"CenterForOpenScience","description":"OSF CAS - The Central Authentication and Authorization Service for the OSF","archived":false,"fork":false,"pushed_at":"2024-08-09T17:51:05.000Z","size":1883,"stargazers_count":6,"open_issues_count":0,"forks_count":9,"subscribers_count":10,"default_branch":"develop","last_synced_at":"2024-08-09T23:19:42.444Z","etag":null,"topics":["authentication","authorization","cas","gradle","java","oauth2","overlay","saml2","spring-boot","spring-framework","spring-webflow","sso","sso-authentication","thymeleaf"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CenterForOpenScience.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-03T14:42:04.000Z","updated_at":"2024-08-09T16:25:40.000Z","dependencies_parsed_at":"2024-01-04T15:02:47.749Z","dependency_job_id":null,"html_url":"https://github.com/CenterForOpenScience/osf-cas","commit_stats":null,"previous_names":[],"tags_count":35,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CenterForOpenScience%2Fosf-cas","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CenterForOpenScience%2Fosf-cas/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CenterForOpenScience%2Fosf-cas/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CenterForOpenScience%2Fosf-cas/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CenterForOpenScience","download_url":"https://codeload.github.com/CenterForOpenScience/osf-cas/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227642219,"owners_count":17797850,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","cas","gradle","java","oauth2","overlay","saml2","spring-boot","spring-framework","spring-webflow","sso","sso-authentication","thymeleaf"],"created_at":"2024-12-01T23:15:33.616Z","updated_at":"2024-12-01T23:15:34.339Z","avatar_url":"https://github.com/CenterForOpenScience.png","language":"Java","readme":"OSF CAS by Center for Open Science\n==================================\n\n`Master` Build Status: **TBI**\n\n`Develop` Build Status: **TBI**\n\nVersioning Scheme: [![CalVer Scheme](https://img.shields.io/badge/calver-YY.MINOR.MICRO-22bfda.svg)](http://calver.org)\n\nLicense: [![License](https://img.shields.io/hexpm/l/plug.svg)](https://github.com/apereo/cas/blob/master/LICENSE)\n\n# About\n\nOSF CAS is the centralized authentication and authorization service for the [OSF](https://osf.io/) and its services such as [OSF Preprints](https://osf.io/preprints/) and [OSF Registries](https://osf.io/registries).\n\n# Features\n\n* OSF username and password login\n* OSF username and verification key login\n* OSF two-factor authentication\n* Delegated authentication\n  * OAuth 2.0 client: supports ORCiD login\n  * CAS client: supports institution SSO using the CAS protocol\n  * SAML service provider: supports institution SSO using the SAML protocol\n* OAuth 2.0 authorization server for OSF\n* Authentication failure throttling\n\n# Implementations\n\nThe implementation of OSF CAS is based on [Apereo CAS 6.2.8](https://github.com/apereo/cas/tree/v6.2.8) via [CAS Overlay Template 6.2.x](https://github.com/apereo/cas-overlay-template/tree/6.2). Refer to [CAS Documentation 6.2.x](https://apereo.github.io/cas/6.2.x/) for more details.\n\n## Legacy Implementations\n\nA legacy version can be found at [CAS Overlay](https://github.com/CenterForOpenScience/cas-overlay), which was built on [Jasig CAS 4.1.x](https://github.com/apereo/cas/tree/4.1.x) via [CAS Overlay Template 4.1.x](https://github.com/apereo/cas-overlay-template/tree/4.1).\n\n# Versions\n\n- OSF CAS     [21.2.x](https://github.com/CenterForOpenScience/osf-cas/releases/latest)\n- Apereo CAS  `6.2.8`\n- PostgreSQL  `9.6`\n- JDK         `11`\n\n# Configure, Build and Run OSF CAS\n\nIt is recommended to use the provided scripts to [build](https://github.com/CenterForOpenScience/osf-cas/blob/develop/docker-build.sh) and [run](https://github.com/CenterForOpenScience/osf-cas/blob/develop/docker-run.sh) CAS. Refer to Apereo [README.md](https://github.com/apereo/cas-overlay-template/tree/6.2#cas-overlay-template-) for more options.\n\nUse [`cas.properties`](https://github.com/CenterForOpenScience/osf-cas/blob/develop/etc/cas/config/cas.properties) and [`Dockerfile`](https://github.com/CenterForOpenScience/osf-cas/blob/develop/Dockerfile) to configure staging and production servers. Use [`cas-local.properties`](https://github.com/CenterForOpenScience/osf-cas/blob/develop/etc/cas/config/local/cas-local.properties) and [`Dockerfile-local`](https://github.com/CenterForOpenScience/osf-cas/blob/develop/Dockerfile-local) for local development. To accelerate developing OSF CAS, use the [reload](https://github.com/CenterForOpenScience/osf-cas/blob/develop/docker-reload.sh) script to rebuild, reconfigure and restart the running container.\n\n## OSF\n\nOSF CAS requires a working OSF running locally. Refer to OSF [README-docker-compose.md](https://github.com/CenterForOpenScience/osf.io/blob/develop/README-docker-compose.md) for how to set up and run OSF with `docker-compose`. Must disable `fakeCAS` to free port `8080` for CAS to use.\n\n### OSF DB\n\nMore specifically, CAS requires a running OSF PostgreSQL database to handle authentication for OSF. Use the authentication handler's [JPA settings](https://github.com/CenterForOpenScience/osf-cas/blob/790cac1ac5a19754c67d6ea1f53afc26e1809d23/etc/cas/config/cas.properties#L70-L86) for [`OsfPostgresAuthenticationHandler`](https://github.com/CenterForOpenScience/osf-cas/blob/develop/src/main/java/io/cos/cas/osf/authentication/handler/support/OsfPostgresAuthenticationHandler.java) to connect to and access OSF DB.\n\nHere is an example for local development. Use `192.168.168.167` to access host outside the docker container. Set `readOnly=true` since CAS only needs read-only access ([Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)).\n\n```yaml\n# In `cas.properties` or `cas-local.properties`\n\ncas.authn.osf-postgres.jpa.user=postgres\ncas.authn.osf-postgres.jpa.password=\ncas.authn.osf-postgres.jpa.driver-class=org.postgresql.Driver\ncas.authn.osf-postgres.jpa.url=jdbc:postgresql://192.168.168.167:5432/osf?targetServerType=master\u0026readOnly=true\ncas.authn.osf-postgres.jpa.dialect=io.cos.cas.osf.hibernate.dialect.OsfPostgresDialect\n```\n\n## CAS DB\n\nThe implementation of OSF CAS uses the [JPA Ticket Registry](https://apereo.github.io/cas/6.2.x/ticketing/Configuring-Ticketing-Components.html#ticket-registry) for durable ticket storage and thus requires a relational database. Set up a `PostgreSQL@9.6` server and review [JPA Ticket Registry settings](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L127-L173). In most cases, only [Database connections](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L139-L143) need to be updated. Other JDBC and JPA settings can be adjusted if necessary.\n\nHere is an example for local development. Use `192.168.168.167` to access host outside the docker container. Use the port `54321` since the default `5432` one has been used by OSF DB. Update `pg_hba.conf` to grant proper access permission depending on the setup.\n\n```yaml\n# In `cas.properties` or `cas-local.properties`\n\ncas.ticket.registry.jpa.user=longzechen\ncas.ticket.registry.jpa.password=\ncas.ticket.registry.jpa.driver-class=org.postgresql.Driver\ncas.ticket.registry.jpa.url=jdbc:postgresql://192.168.168.167:54321/osf-cas?targetServerType=master\ncas.ticket.registry.jpa.dialect=org.hibernate.dialect.PostgreSQL95Dialect\n```\n\n```yaml\n# In `pg_hba.conf`\n\n# TYPE  DATABASE        USER            ADDRESS                 METHOD\nhost    osf-cas         longzechen      192.168.168.167/24      trust\n```\n\n## Signing and Encryption Keys\n\n### CAS Server\n\n* Refer to [signing and encryption 1](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L175-L190) in `cas.properties` for signing and encrypting client sessions and ticket granting cookies.\n\n### OAuth Server\n\n* Refer to [signing and encryption 2](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L291-L295) in `cas.properties` for signing and encrypting OAuth 2.0 registered services.\n\n* You can optionally enable OAuth JWT access tokens, which requires [signing and encryption 3](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L273-L282) to be configured.\n\n### Auto-generate Key Pairs\n\nSet empty values to the above keys and CAS will generate the key pairs automatically. The keys will be re-generated once server restarts. Follow the server warning logs for further actions.\n\n## Authentication Delegation\n\n### ORCiD Login\n\nTo enable ORCiD login, update `cas.authn.pac4j.orcid.id` and `cas.authn.pac4j.orcid.secret` [here](https://github.com/CenterForOpenScience/osf-cas/blob/790cac1ac5a19754c67d6ea1f53afc26e1809d23/etc/cas/config/cas.properties#L212-L213) in delegation settings accordingly.\n\nFor local development, set up a developer app at [ORCiD](https://orcid.org/developer-tools) with `http://localhost:8080/login` and `http://192.168.168.167:8080/login` as *redirect URIs*.\n\n### Institution Login\n\n#### SAML / Shibboleth\n\nDetails coming soon ...\n\n#### CAS / Pac4j\n\nDetails coming soon ...\n\n#### `fakeCAS` Login for institution `osftype0` (Local Development Only)\n\nWith OSF CAS running locally as the authentication server for OSF, the previously disabled `fakeCAS` can be re-configured to serve as an identity provider. Simply update `fakecas` in OSF's [docker-compose.yaml](https://github.com/CenterForOpenScience/osf.io/blob/dc87c86b2afb7ad4e801b23c6428e3d2169e3e36/docker-compose.yml#L235-L247) to listen on port `8081`.\n\n```\nfakecas:\n  image: quay.io/centerforopenscience/fakecas:master\n  command: fakecas -host=0.0.0.0:8081 -osfhost=localhost:5000 -dbaddress=postgres://postgres@postgres:5432/osf?sslmode=disable\n  restart: unless-stopped\n  ports:\n    - 8081:8081\n  depends_on:\n    - postgres\n  stdin_open: true\n```\n\nRelated `cas.propeties` settings can be found [here](https://github.com/CenterForOpenScience/osf-cas/blob/790cac1ac5a19754c67d6ea1f53afc26e1809d23/etc/cas/config/local/cas-local.properties#L192-L235).\n\n```yaml\n# In `cas-local.properties`\n\ncas.authn.osf-postgres.institution-clients[2]=${cas.authn.pac4j.cas[2].client-name}\n\ncas.authn.pac4j.cas[1].login-url=http://192.168.168.167:8081/login\ncas.authn.pac4j.cas[1].client-name=osftype0\ncas.authn.pac4j.cas[1].protocol=CAS30\ncas.authn.pac4j.cas[1].callback-url-type=QUERY_PARAMETER\n```\n\n### OAuth 2.0 Server\n\nDetails coming soon ...\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcenterforopenscience%2Fosf-cas","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcenterforopenscience%2Fosf-cas","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcenterforopenscience%2Fosf-cas/lists"}