On Wed, Mar 18, 2020 at 8:00 PM Graham Leggett <[email protected]> wrote: > > Hi all, > > With support for AJP becoming scarce, there has been a need to get > information from an Apache httpd to a backend server (Tomcat, etc) in a > secure way. > > The following patch introduces two new modules: > > - mod_auth_bearer: This provides bearer authentication, as described in > RFC6750. A token can be received by Apache httpd, and accepted if recognised, > and in addition a token can be generated by httpd, and sent to a backend > server. This allows the details of a digital certificate to be passed > securely to the backend, when the digital certificate has been terminated by > httpd. > > - mod_autht_jwt: RFC6750 does not mandate the type of token used, it can be > anything. One such token supported is JWT, as implemented in mod_autht_jwt. > We can verify incoming JWT tokens, and we can sign outgoing JWT tokens today > using HS256, with more algorithms to come. > > We introduce a new type of auth module: autht for authenticating tokens. A > token can carry usernames, or IP addresses, or any metadata that might > subsequently be used by authn or authz. > > We depend on apr_jose support in apr-util v1.7, which in turn depends on > secure apr_json support, and apr_crypto hashing functions. > > This work (in APR and httpd) has been sponsored by NLNet as part of the > Redwax Project at https://redwax.eu. > > Example configuration to accept a token: > > AuthType bearer > AuthName example-name > AuthBearerProvider jwt > AuthtJwtVerify hs256 file > /Users/minfrin/src/apache/sandbox/proxy/conf/secret > Require valid-user > > Example configuration to send a token to a proxy backend: > > AuthBearerProxy %{JWT_TOKEN} > AuthtJwtClaim set sub %{REMOTE_USER} > AuthtJwtSign hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret > > Work still to be done includes porting this to trunk, as well as documenting > it properly. This will follow.
Neat, have you thought about mod_auth_form in relation to this? Something on my wishlist has been to not put the password in the session / not continue to call the original auth provider.
