httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kahn Gillmor <...@fifthhorseman.net>
Subject how to use authn_provider for password-less authentication within a module ?
Date Mon, 17 Feb 2014 21:09:35 GMT
Hi, i'm trying to revive mod_gnutls and bring it up to date with current
apache module practices, and i'd like to use apache 2.4's mod_auth
framework for user authentication via client-side certificates.  i'm
limiting the scope of this question to authentication because i do not
have a good use case for mod_gnutls for authorization at this point.

It seems like mod_gnutls should use:

 ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, …)

but it's not clear how it should be done.

In particular, the authn_provider struct doesn't seem well-suited to
non-password-based authentication mechanisms.  Should I avoid that part
of the framework altogether, not call ap_register_auth_provider at all,
and just manually set r->user via ap_hook_check_authn(), or should I be
thinking about this a different way?

Looking at the codebase, it looks to me like the authn_provider makes
some basic assumptions that an authentication provider will verify a
username and a password against some source.  This doesn't make sense in
the context of client-certificate-based authentication.  There are other
contexts in which a module could provide authentication (verifying a
given identity, or associating an identity with a given request) without
doing the sort of password authentication that the authn_provider struct
seems to assume.

include/mod_auth.h has:

------------------
typedef enum {
    AUTH_DENIED,
    AUTH_GRANTED,
    AUTH_USER_FOUND,
    AUTH_USER_NOT_FOUND,
    AUTH_GENERAL_ERROR
} authn_status;

/*  [...] */

typedef struct {
    /* Given a username and password, expected to return AUTH_GRANTED
     * if we can validate this user/password combination.
     */
    authn_status (*check_password)(request_rec *r, const char *user,
                                   const char *password);

    /* Given a user and realm, expected to return AUTH_USER_FOUND if we
     * can find a md5 hash of 'user:realm:password'
     */
    authn_status (*get_realm_hash)(request_rec *r, const char *user,
                                   const char *realm, char **rethash);
} authn_provider;
------------------

Any recommendations for how to best think about password-less
AUTHN_PROVIDER_GROUPs, or pointers to documentation that should clear it
up would be welcome.

Regards,

             --dkg

Mime
View raw message