Possibilities | Constraints |
---|---|
redirect | own the page url, may loose user interactions |
window.open + postMessage | user click |
JSONP | CAS TGC, same domain |
hidden iframe | CAS TGC, same domain |
Consequence : the server-to-server requests are missing (serviceValidate from api/app to cas)
The simplest solution is to protect SPA HTML pages with the same session cookie used to protect API.
Session timeout is handled as in traditional Web: user starts again at current page.
The "implicit grant" solution is mimicking OAuth2 "implicit grant" which passes the token as a fragment identifier.
Note that it breaks CAS back channel Single Logout.
NB: prior to CAS 3.4.4 it was possible to do it, but getting the ticket in the query part is ok.
You can use JSONP + cookies for readonly APIs, but you will not be protected by CSRF information leakage.