And it's worth noting that authentication via client side certs is a "standard, reliable, vetted mechanism" that is already layered into Thrift via its support for SSL.
un/pw authentication is typically considered an application layer concern. I've not heard of TLS-SRP until now...that's cool! On Wed, Sep 25, 2013 at 11:11 AM, Ben Craig <[email protected]> wrote: > > Does the thrift user have to build all the user authentication into > > the protocol? It seems like there should be some standard, reliable, > > vetted mechanism that could be layered into Thrift. > > Sending a username and password over an SSL connection is a very common > pattern. It is difficult for Thrift to do "everything" here, because > Thrift doesn't have access to whatever the backing database is that stores > the usernames and passwords. > > If you are looking for something that uses the username and password as > the only forms of authentication (in lieu of certificates), then you > should investigate TLS-SRP (http://en.wikipedia.org/wiki/TLS-SRP). You > would likely need to create a new transport class to wrap TLS-SRP. >
