On Jun 25, 2009, at 10:02 AM, Jan Lehnardt wrote:
Hey Couchers,
I'd like to add OAuth support to CouchDB. In thinking about how to
make
a oauth_authentication_handler much like Jason's
cookie_authentication_handler
I went a little further and see how this would fit into a more fine
grained
authentication and authorization system for CouchDB.
I'd like to get my work in progress out here to get your feedback
and guidance.
I'm not married to any of the nomenclature, so feel free to suggest
alternatives
along the way.
OAuth won't need all of that is outlined here, but it would use the
foundations of
this system, and I'd like to get that right from the get go.
Your input is highly appreciated, thanks!
I've been bit by CouchDB barking when it sees stray credentials when
it is sitting behind an Apache httpd proxy. I will eventually have to
dive into that to see how to configure CouchDB to ignore credentials
when it doesn't need them.. Authentication and authorization in
CouchDB is one of those things I know I need to get my head around,
but I have been able to put it off for now. So all this is just a
CouchDB novice's rambling, but here goes
CouchDB is likely to be used in conjunction with other Apache servers
such as httpd or Tomcat and it would be desirable if CouchDB could
adopt the identical or similar terminology and adopt the same file
formats if possible. For example, consume the output from htpasswd
from httpd instead of using up with a CouchDB specific tool and
password encryption (or the current ini read and rewrite approach).
httpd and Tomcat both provide DB based authentication with multiple
backend databases. While it might be nice to use the same backend DBs
and the other services, it struck me that we are already on a DB.
Maybe another CouchDB database could be accessed, however one that is
not exposed on the default port or possibly not exposed at all after
initial configuration?
I haven't read the A&A Wiki for CouchDB recently, but when I did
earlier I got the impression that it was dated and suspect.
Links to some A&A in other Apache projects
http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html
http://httpd.apache.org/docs/2.2/howto/auth.html
http://directory.apache.org/
ps. I would think that you'd also want to have write-only (not read
+write+...)
