Erik Boesen

Blog

Establishing CAS authentication through a mobile app

Using CAS authentication is a challenging part of creating a university-based mobile application. This article aims to describe in detail how to perform CAS authentication in a mobile app, which is not well documented anywhere else or officially supported by CAS.

This guide is written with the Yale University instance of CAS in mind (accessible at https://secure.its.yale.edu/cas), but should be generalizable to other universities and CAS instances.

If you have trouble, or notice an issue with this guide, please let me know!

Authenticating in the browser

Conventionally, a website-based CAS authentication process requires you to redirect from your website to the CAS instance's login page (for example https://secure.its.yale.edu/cas/login). You must include a service URL parameter being set to a page on your own website. As an example, if you were hosting a website at https://myapp.com, you would send your user to https://secure.its.yale.edu/cas/login?service=https://myapp.com/login. After the user logs in in the CAS page, they will be redirected to the specified service page, with an additional parameter ticket added to the URL. Your server can pick up this ticket value and send it to the CAS API to obtain XML-formatted information about the NetID of the person who's just logged in.

Full documentation of using the CAS API in a web context can be found here. Most languages and stacks have an existing library for executing this process, for example Django, Flask, Express, etc. You probably don't need to implement the whole flow yourself.

What makes mobile authentication different?

As you may have noticed, authenticating with CAS in a web browser revolves around redirecting back to a web app you're hosting, which doesn't make much sense if you're building a mobile app—it's not really possible to encode "go back to my app's previous view" into a URL parameter in this context. So, a more complex solution is necessary.

The solution for this use case involves three main steps. First, the mobile app must display an embedded WebView How to create webview Detect page changing Send data to server Get token (Mention possible edit to flask_cas)