On 19 Mar 2020, at 02:40, Eric Covener <[email protected] 
<mailto:[email protected]>> wrote:

> Neat, have you thought about mod_auth_form in relation to this?
> Something on my wishlist has been to not put the password in the
> session / not continue to call the original auth provider.

Yes - the two modules that will benefit from token support are mod_session 
(which mod_auth_form is just one possible “onramp” to obtain a session token), 
and mod_ssl, where the token is the cert.

There is the addition of the (non backportable, but optional and we can leave 
it out of the backport) check_user() provider function, which allows a user in 
token to be checked if they still exist. The token being verified as valid is 
the “password”, leaving just the request to verify whether the user exists. 
This lets us remove the “the password is set to ‘password’” hack on mod_ssl, 
that makes life difficult if you want to support certs and passwords during a 
transition period, or certs for mobile apps and passwords for the web.

typedef struct {
    /* Given a username and password, expected to return AUTH_GRANTED
     * if we can validate this user/password combination.
     *
     * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
     */
    authn_status (*check_password)(request_rec *r, const char *user,
                                   const char *password);

    /* Given a user and realm, expected to return AUTH_USER_FOUND if we
     * can find a md5 hash of 'user:realm:password'
     *
     * Use with AUTHN_PROVIDER_VERSION / AUTHN_PROVIDER_VERSION1 providers.
     */
    authn_status (*get_realm_hash)(request_rec *r, const char *user,
                                   const char *realm, char **rethash);
        /* Given a username, expected to return AUTH_GRANTED
     * if we can validate this user exists.
     */
    authn_status (*check_user)(request_rec *r, const char *user);

} authn_provider;

The main problem being solved (and the thing that kicked all of this off) was 
that one of the Atlassian products said “we no longer support AJP” which was 
being used to make certs work. We went “eek” and all of this became a thing.

Regards,
Graham
—

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to