On 19 Mar 2020, at 02:40, Eric Covener <[email protected] <mailto:[email protected]>> wrote:
> Neat, have you thought about mod_auth_form in relation to this?
> Something on my wishlist has been to not put the password in the
> session / not continue to call the original auth provider.
Yes - the two modules that will benefit from token support are mod_session
(which mod_auth_form is just one possible “onramp” to obtain a session token),
and mod_ssl, where the token is the cert.
There is the addition of the (non backportable, but optional and we can leave
it out of the backport) check_user() provider function, which allows a user in
token to be checked if they still exist. The token being verified as valid is
the “password”, leaving just the request to verify whether the user exists.
This lets us remove the “the password is set to ‘password’” hack on mod_ssl,
that makes life difficult if you want to support certs and passwords during a
transition period, or certs for mobile apps and passwords for the web.
typedef struct {
/* Given a username and password, expected to return AUTH_GRANTED
* if we can validate this user/password combination.
*
* Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
*/
authn_status (*check_password)(request_rec *r, const char *user,
const char *password);
/* Given a user and realm, expected to return AUTH_USER_FOUND if we
* can find a md5 hash of 'user:realm:password'
*
* Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
*/
authn_status (*get_realm_hash)(request_rec *r, const char *user,
const char *realm, char **rethash);
/* Given a username, expected to return AUTH_GRANTED
* if we can validate this user exists.
*/
authn_status (*check_user)(request_rec *r, const char *user);
} authn_provider;
The main problem being solved (and the thing that kicked all of this off) was
that one of the Atlassian products said “we no longer support AJP” which was
being used to make certs work. We went “eek” and all of this became a thing.
Regards,
Graham
—
smime.p7s
Description: S/MIME cryptographic signature
