Monday, December 13, 2010

Introducing ClassyCAS

Central authentication has never been so… what’s the word? Ah yes: Classy.

Today we’re proud to announce the first public version of our central authentication system, ClassyCAS.

What is it?

ClassyCAS is a partial1 implementation of the Central Authentication Service 2.0 protocol for private, centralized authentication spanning multiple client applications. To put it another way: the CAS protocol provides a way to factor out your authentication from your app in a language, server, and framework agnostic way.

Why would I want to use it?

Worrying about authentication in Rails seems… retro, doesn’t it? There was a time when every rails application installed RESTful Authentication (or for the really old: LoginGenerator). These were fine at the time, but reliance on generated code made upgrading and customization painful, error-prone.
Today we have robust options like Devise, Warden, and OmniAuth that each bring along modularity and features that allow customization with minimal changes. Problem solved, right?
Well, mostly. Picture this though:

  • 1. You run multiple instances of your app for different countries. The operational data is country-specific and sharded, but you want to be able to identify users if they login to any site (especially for global admins).
  • 2. You support users logging in through Facebook, Twitter, OpenID, etc. (thank you OmniAuth!) but you want to give people the option of creating a private account that doesn’t hook into social networks. Yes, these people do exist…
  • 3. You run a herd of small applications for an organization. They’re written in many different languages or frameworks and run on different servers and OS’s. Your boss tells you he’s tired of logging in every time he moves around.

The problem we’re left with is this: We have distributed systems. We need a private, central place to store authentication data that can act as the authority to say who’s who.

Enter CAS

The CAS protocol has been around for years now. In that time a number of server and client implementations have been developed including the reference Java CAS server and client; the mod_auth_cas Apache client module; clients for PHP, Perl, Python, and .Net; and the RubyCAS server and client. The RubyCAS page is a great place to start to understand CAS.

Now, Enter ClassyCAS

ClassyCAS is a CAS server implementation built on top of Sinatra (hence “classy”, like The Chairman, himself), using Redis as a ticket store, and developed with a highly annotated test suite pulled from the CAS 2.0 spec.

1 For now we don’t support proxy authentication, mainly because we don’t have a use case for it and couldn’t reasonably test it. Contributions are welcome!

No comments:

Post a Comment