On Wed, Mar 18, 2020 at 8:00 PM Graham Leggett <[email protected]> wrote:
>
> Hi all,
>
> With support for AJP becoming scarce, there has been a need to get 
> information from an Apache httpd to a backend server (Tomcat, etc) in a 
> secure way.
>
> The following patch introduces two new modules:
>
> - mod_auth_bearer: This provides bearer authentication, as described in 
> RFC6750. A token can be received by Apache httpd, and accepted if recognised, 
> and in addition a token can be generated by httpd, and sent to a backend 
> server. This allows the details of a digital certificate to be passed 
> securely to the backend, when the digital certificate has been terminated by 
> httpd.
>
> - mod_autht_jwt: RFC6750 does not mandate the type of token used, it can be 
> anything. One such token supported is JWT, as implemented in mod_autht_jwt. 
> We can verify incoming JWT tokens, and we can sign outgoing JWT tokens today 
> using HS256, with more algorithms to come.
>
> We introduce a new type of auth module: autht for authenticating tokens. A 
> token can carry usernames, or IP addresses, or any metadata that might 
> subsequently be used by authn or authz.
>
> We depend on apr_jose support in apr-util v1.7, which in turn depends on 
> secure apr_json support, and apr_crypto hashing functions.
>
> This work (in APR and httpd) has been sponsored by NLNet as part of the 
> Redwax Project at https://redwax.eu.
>
> Example configuration to accept a token:
>
>   AuthType bearer
>   AuthName example-name
>   AuthBearerProvider jwt
>   AuthtJwtVerify hs256 file 
> /Users/minfrin/src/apache/sandbox/proxy/conf/secret
>   Require valid-user
>
> Example configuration to send a token to a proxy backend:
>
>   AuthBearerProxy %{JWT_TOKEN}
>   AuthtJwtClaim set sub %{REMOTE_USER}
>   AuthtJwtSign hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret
>
> Work still to be done includes porting this to trunk, as well as documenting 
> it properly. This will follow.

Neat, have you thought about mod_auth_form in relation to this?
Something on my wishlist has been to not put the password in the
session / not continue to call the original auth provider.

Reply via email to