Hey Bob, i guess the sentence "an afternoon's hacking for a competent Erlanger" means for me about one year work :-D Auth-Token calculation is hmac-sha1 of secret key and username as far as i undestood - i will take a look if that can be done also in nodejs (i guess i will be much faster doing this than learning Erlang ;-)
Thanks again Michael Am 23.02.2012 um 20:28 schrieb Robert Newson: > Michael, the x_ things are the names of http *headers* not query > parameters. What've you missed is that the burden is on the proxy code > to calculate the Auth-Token so that it matches what couchdb would > calculate. > > I've worked on something similar recently. The principal differences > are an endpoint to generate this value for you and to include the > roles in the MAC calculation. I can't currently share the code but I > will seek permission to do so. I don't think it's more than an > afternoon's hacking for a competent Erlanger. > > B. > > On 23 February 2012 19:07, Robert Newson <[email protected]> wrote: >> I certainly see value in being able to delegate authentication to an >> external service. Shouldn't be difficult. >> >> B. >> >> On 23 February 2012 19:02, Michael Ferjancic >> <[email protected]> wrote: >>> Hi Paul, >>> >>> thanks for the quick answer. Exactly that is what i want to do - i would >>> like to use some nodejs-stuff in front to do the authentication and after a >>> successful auth-attempt "trust" the session to couchdb (=create the couch >>> cookie).... >>> >>> Cheers >>> Michael >>> >>> Am 23.02.2012 um 19:54 schrieb Paul Davis: >>> >>>> On Mon, Feb 13, 2012 at 3:02 PM, Michael Ferjancic >>>> <[email protected]> wrote: >>>>> Hi guys, >>>>> >>>>> I have to admit that i am fairly new to this topic, especially new to >>>>> erlang. Currently i am trying to play around with the various >>>>> authentication handlers - goal is to have a working "delegated >>>>> authentication" on facebook, twitter and such. >>>>> >>>>> 1) as far as i understood the oAuth implementation of couchdb is just the >>>>> opposite i need - you can use that to create tokens for couch-users, but >>>>> not to accept twitter accessTokens/secrets and map that to a couch user >>>>> 2) i found exactly what i need in datacouch - authentication against >>>>> twitter with nodejs, and after that getting the plaintext password from a >>>>> private couch and use it with _session-API to create a couch cookie. >>>>> 3) i modified the sample a little bit and used everyauth to handle the >>>>> delegated authentication. I map the userinfos i get from facebook etc. >>>>> against user profiles in a private db, which also contains the user >>>>> passwords (unfortunately still in plaintext). Works perfectly, but..... >>>>> >>>>> Now i am trying to avoid storing the plaintext passwords. I heard about >>>>> to use proxy_authentification_handler, but it seems i am too stupid to >>>>> use it. I made the (as far as i understood) correct entries in >>>>> couch_httpd_auth >>>>> >>>>> couch_httpd_auth auth_cache_size >>>>> 50 >>>>> x >>>>> authentication_db >>>>> _users >>>>> x >>>>> authentication_redirect >>>>> /_utils/session.html >>>>> x >>>>> require_valid_user >>>>> false >>>>> x >>>>> secret >>>>> xxxxxxxxxxxx >>>>> x >>>>> timeout >>>>> 43200 >>>>> x >>>>> x_auth_roles >>>>> roles >>>>> x >>>>> x_auth_token >>>>> token >>>>> x >>>>> x_auth_username >>>>> uname >>>>> >>>>> >>>>> and also in httpd >>>>> httpd allow_jsonp >>>>> true >>>>> x >>>>> authentication_handlers >>>>> {couch_httpd_auth, proxy_authentification_handler},{couch_httpd_auth, >>>>> cookie_authentication_handler}, {couch_httpd_auth, >>>>> default_authentication_handler} >>>>> x >>>>> bind_address >>>>> 127.0.0.1 >>>>> x >>>>> default_handler >>>>> {couch_httpd_db, handle_request} >>>>> x >>>>> port >>>>> 5984 >>>>> x >>>>> secure_rewrites >>>>> false >>>>> x >>>>> vhost_global_handlers >>>>> _utils, _uuids, _session, _oauth, _users >>>>> >>>>> When i now do a GET on >>>>> http://localhost:5984/_utils/config.html?uname=user1&roles=user that >>>>> seems to doesn't lead to anything... >>>>> >>>>> Anybody ever got that thing running? Am i missing something? Or is there >>>>> any chance to implement a custom authentication handler without coding >>>>> erlang? >>>>> >>>>> Thanks for your help >>>>> Michael >>>>> >>>> >>>> I'm not super familiar with this code but AFAIK, the proxy auth module >>>> is for accepting auth done by a proxy (as opposed to proxying auth to >>>> an external service). >>>> >>>> So for instance, nginx could auth requests to some LDAP server and >>>> then couchdb would trust nginx's auth passed forward. Theoretically if >>>> you have your auth stuff working infront of couch you could do the >>>> same thing but I'm not familiar enough to be much more help on that. >>>
