[CONF] Apache Sling Website > OpenID AuthenticationHandler

[confluence]

OpenID AuthenticationHandler Page edited by Felix Meschberger Changes (8) ... * {{extractCredentials}} -- ... * {{requestCredentials}} -- ... * {{dropCredentials}} -- ... h4. extractCredentials h4. requestCredentials If the {{sling:authRequestLogin}} parameter is set to a value other than {{OpenID}} this method immediately returns {{false}}. If the parameter is not set or is set to {{OpenID}} this method continues with first invalidating any cached OpenID credentials (same as {{dropCredentials}} does) and then redirecting the client to the login form configured with the {{openid.login.form}} configuration property. The redirect is provided with up to three request parameters: || Request Parameter || Description || | {{resource}} | The location to which the user initially requested access and that caused the {{requestCredentials}} method to be called. | | {{j_reason}} | The reason why an earlier attempt at authentication with the OpenID authentication handler failed. This request parameter is only set if the same named request attribute has been set by the {{extractCredentials}} or the {{authenticationFailed}} method. The value of the parameter is the name of one of the {{OpenIDFailure}} constants. | | {{j_openid_identity}} | The OpenID identity which could not successfully be associated with an existing JCR user. This request parameter is only set if the {{authenticationFailed}} method has been called due to inability to associate an existing and validated OpenID identity with an existing JCR user. | h4. dropCredentials Invalidates the OpenID identity currently stored with the request. This means to either remove the OpenID cookie or to remove the OpenID information from the HTTP Session. This method does not write to the response (except setting the {{Set-Cookie}} header to remove the OpenID cookie if required) and does not commit the response. h3. AuthenticationHandlerFeedback implementation * {{authenticationFailed}} -- ... * {{authenticationSucceeded}} -- ... h4. authenticationFailed This method is called, if the Credentials provided by the Authentication Handler could not be validated by the Jackrabbit authentication infrastructure. One cause may be that the integration with Jackrabbit has not been completed (see _Integration with Jackrabbit_ below). Another, more probably cause, is that the validated OpenID identifier cannot be associated with an existing JCR user. The OpenID Authentication Handler implementation of the {{authenticationFailed}} method sets the {{j_reason}} request attribute to {{OpenIDFailure.REPOSITORY}} and sets the {{j_openid_identity}} request attribute to the OpenID identity of the authenticated user. A login form provider may wish to act upon this situation and provide a login form to the user to allow to his OpenID identity with an existing JCR user. In addition, the current OpenID identity is invalidated thus the cached OpenID information is removed from the HTTP Session or the OpenID cookie is cleaned. This will allow the user to present a different OpenID identifier to retry or it will require the OpenID identity to be revalidated with the OpenID provider if the identity is associated with a JCR user. h4. authenticationSucceeded The OpenID Authentication Handler implementation of the {{authenticationSucceeded}} method just calls the {{DefaultAuthenticationFeedbackHandler.handleRedirect}} method to redirect the user to the initially requested location. h3. Phase 1: Form Submission ... Full Content OpenID AuthenticationHandler This page is work in progress and not complete yet AuthenticationHandler implementation | AuthenticationHandlerFeedback implementation | Phase 1: Form Submission | Phase 2: Authenticated Requests | Configuration | Integration with Jackrabbit | Security Considerations The OpenID Authentication Handler supports authentication of request users using the OpenID authentication protocol. If the user has successfully authenticated with his OpenID provider a signed OpenID identity is further used to identify the user. Since generally an OpenID identity is an URL and URLs may not be used as JCR user names, an association mechanism is used by the OpenID authentication handler to associate an OpenID identity with an existing JCR user: The OpenID identity URL is set as the value of a JCR user property. When a user authenticates with his OpenID identity the matching user searched for by looking for a match in this property. NOTE: This association currently only works with Jackrabbit (or Jackrabbit based repositories) because user management is not part of the JCR 2 specification and the OpenID authentication handler uses the Jackrabbit UserManager to find users by a user property value. The OpenID Authentication Handler is maintained in the Sling SVN AuthenticationHandler implementation extractCredentials requestCredentials If the sling:authRequestLogin parameter is set to a value other than OpenID this method immediately returns false. If the parameter is not set or is set to OpenID this method continues with first invalidating any cached OpenID credentials (same as dropCredentials does) and then redirecting the client to the login form configured with the openid.login.form configuration property. The redirect is provided with up to three request parameters: Request Parameter Description resource The location to which the user initially requested access and that caused the requestCredentials method to be called. j_reason The reason why an earlier attempt at authentication with the OpenID authentication handler failed. This request parameter is only set if the same named request attribute has been set by the extractCredentials or the authenticationFailed method. The value of the parameter is the name of one of the OpenIDFailure constants. j_openid_identity The OpenID identity which could not successfully be associated with an existing JCR user. This request parameter is only set if the authenticationFailed method has been called due to inability to associate an existing and validated OpenID identity with an existing JCR user. dropCredentials Invalidates the OpenID identity currently stored with the request. This means to either remove the OpenID cookie or to remove the OpenID information from the HTTP Session. This method does not write to the response (except setting the Set-Cookie header to remove the OpenID cookie if required) and does not commit the response. AuthenticationHandlerFeedback implementation authenticationFailed This method is called, if the Credentials provided by the Authentication Handler could not be validated by the Jackrabbit authentication infrastructure. One cause may be that the integration with Jackrabbit has not been completed (see Integration with Jackrabbit below). Another, more probably cause, is that the validated OpenID identifier cannot be associated with an existing JCR user. The OpenID Authentication Handler implementation of the authenticationFailed method sets the j_reason request attribute to OpenIDFailure.REPOSITORY and sets the j_openid_identity request attribute to the OpenID identity of the authenticated user. A login form provider may wish to act upon this situation and provide a login form to the user to allow to his OpenID identity with an existing JCR user. In addition, the current OpenID identity is invalidated thus the cached OpenID information is removed from the HTTP Session or the OpenID cookie is cleaned. This will allow the user to present a different OpenID identifier to retry or it will require the OpenID identity to be revalidated with the OpenID provider if the identity is associated with a JCR user. authenticationSucceeded The OpenID Authentication Handler implementation of the authenticationSucceeded method just calls the DefaultAuthenticationFeedbackHandler.handleRedirect method to redirect the user to the initially requested location. Phase 1: Form Submission The form is rendered by redirecting the client to the URL indicated by the form.login.form configuration parameter. This redirection request may accompanyied by the following parameters: resource – The resource to which the user should be redirected after successful login. This request parameter should be submitted back to the server as the resource parameter. j_reason – This parameter indicates the reason for rendering the login form. If this parameter is set, it is set to the name of any of the OpenIDFailure constants. The login form servlet/script can present the user with an appropriate message. The Form Based Authentication handlers supports the following request parameters submitted by the HTML form: openid_identifier – OpenID Claimed Identifier. This may be any actual OpenID identity URL or the URL of OpenID Provider such as https://www.google.com/accounts/o8/id, https://me.yahoo.com, or https://www.myopenid.com. sling:authRequestLogin – This request parameter is recommended to be set with a hidden field to the value OpenID to ensure the request is handled by the OpenID Authentication Handler. resource – The resource request parameter should be sent back to ensure the user is finally redirected to requested target resource after successful authentication. The OpenID Authentication Handler provides a default login form registered at /system/sling/openid/login. Phase 2: Authenticated Requests Work in progress .... Configuration The OpenID AuthenticationHandler is configured with configuration provided by the OSGi Configuration Admin Service using the org.apache.sling.openidauth.OpenIdAuthenticationHandler service PID. Parameter Default Description path – Repository path for which this authentication handler should be used by Sling. If this is empty, the authentication handler will be disabled. openid.login.form /system/sling/openid/login This should provide a way to capture the user's OpenID identifier. This is not the OpenID Provider's login page, however, it does not have to be a local URL. If it is a local Sling URL, it must be accessible by the anonymous user. The user is HTTP Redirect'ed to this URL. This page should POST back the user's OpenID identifier (as named by the "OpenID identifier form field" property) to the originally requested URL set in the "resource" request parameter. openid.login.identifier openid_identifier The name of the form parameter that provides the user's OpenID identifier. By convention this is openid_identifier. Only change this if you have a very good reason to do so. openid.external.url.prefix – The prefix of URLs generated for the ReturnTo and TrustRoot properties of the OpenID request to the OpenID provider. Thus this URL prefix should bring back the authenticated user to this Sling instance. Configuring this property is usually necessary when running Sling behind a proxy (like Apache) since proxy mapping is not performed on the OpenID ReturnTo and TrustRoot URLs as they are sent to the OpenID Provider as form parameters. If this property is empty, the URLs are generated using the hostname found in the original request. openid.use.cookie true Whether to use a regular Cookie or an HTTP Session to cache the OpenID authentication details. By default a regular cookie is used to prevent use of HTTP Sessions. openid.cookie.domain – Domain of cookie used to persist authentication. This defaults to the host name of the Sling server but may be set to a different value to share the cookie amongst a server farm or if the server is running behind a proxy. Only used if 'Use Cookie' is checked. openid.cookie.name sling.openid Name of cookie used to persist authentication. Only used if 'Use Cookie' is checked. openid.cookie.secret.key secret Secret key used to create a signature of the cookie value to prevent tampering. Only used if 'Use Cookie' is true. openid.user.attr openid.user Name of the JCR SimpleCredentials attribute to to set with the OpenID User data. This attribute is used by the OpenID LoginModule to validate the OpenID user authentication data. openid.property.identity openid.identity The name of the JCR User attribute listing one or more OpenID Identity URLs with which a user is associated. The property may be a multi- or single-valued. To resolve a JCR user ID from an OpenID identity a user is searched who lists the identity in this property. Integration with Jackrabbit The OpenID authentication handler can be integrated in two ways into the Jackrabbit authentication mechanism which is based on JAAS LoginModule. One integration is by means of a LoginModulePlugin which plugs into the extensible LoginModule architecture supported by the Sling Jackrabbit Embedded Repository bundle. The other integration option is the trusted_credentials_attribute mechanism supported by the Jackrabbit DefaultLoginModule. By setting the trusted_credentials_attribute parameter of the Jackrabbit DefaultLoginModule and the openid.user.attr configuration property of the OpenID Authentication Handler to the same value, the existence of an attribute of that name in the SimpleCredentials instance provided to the Repository.login method signals pre-authenticated credentials, which need not be further checked by the DefaultLoginModule. Security Considerations Work in progress .... OpenIDAuthentication has some limitations in terms of security: User name and password are transmitted in plain text in the initial form submission. The Cookie used to provide the authentication state or the HTTP Session ID may be stolen. When using the trusted_credentials_attribute mechanism, any intruder knowing the attribute name may log into the repository as any existing JCR user. The better option is to be based on the LoginModulePlugin mechanism. To prevent eavesdroppers from sniffing the credentials or stealing the Cookie a secure transport layer should be used such as TLS/SSL, VPN or IPSec. Change Notification Preferences View Online | View Changes | Add Comment