Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F0B11900B for ; Fri, 24 Feb 2012 07:40:49 +0000 (UTC) Received: (qmail 62024 invoked by uid 500); 24 Feb 2012 07:40:48 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 61980 invoked by uid 500); 24 Feb 2012 07:40:48 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 61970 invoked by uid 99); 24 Feb 2012 07:40:48 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Feb 2012 07:40:48 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FSL_RCVD_USER,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bchesneau@gmail.com designates 209.85.215.52 as permitted sender) Received: from [209.85.215.52] (HELO mail-lpp01m010-f52.google.com) (209.85.215.52) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Feb 2012 07:40:42 +0000 Received: by lagy4 with SMTP id y4so355364lag.11 for ; Thu, 23 Feb 2012 23:40:20 -0800 (PST) Received-SPF: pass (google.com: domain of bchesneau@gmail.com designates 10.152.102.237 as permitted sender) client-ip=10.152.102.237; Authentication-Results: mr.google.com; spf=pass (google.com: domain of bchesneau@gmail.com designates 10.152.102.237 as permitted sender) smtp.mail=bchesneau@gmail.com; dkim=pass header.i=bchesneau@gmail.com Received: from mr.google.com ([10.152.102.237]) by 10.152.102.237 with SMTP id fr13mr974212lab.10.1330069220765 (num_hops = 1); Thu, 23 Feb 2012 23:40:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=8Ejxz6/cRCCVXun6KbccHTar/eqKX+dw/j6XUTQNeB4=; b=A4uY5HGSo5BMKJLOHmoCqFVFzlhYwycxmZbABAoStIIKF/ogXxa1HX/JHodj30cHGm CTqUDdwlGQSe+BjtD+kwRAeS53XEfQoaepdZX7h0LBoWjMrstFrs7r3WrLKEXHz1HKpg 5kbPn/Qr+XJQTXCzyNtA3IGhjGLnYn4ULneYA= MIME-Version: 1.0 Received: by 10.152.102.237 with SMTP id fr13mr817286lab.10.1330069220720; Thu, 23 Feb 2012 23:40:20 -0800 (PST) Received: by 10.112.85.65 with HTTP; Thu, 23 Feb 2012 23:40:20 -0800 (PST) In-Reply-To: References: Date: Fri, 24 Feb 2012 08:40:20 +0100 Message-ID: Subject: Re: proxy authentication handler From: Benoit Chesneau To: user@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Mon, Feb 13, 2012 at 10:02 PM, Michael Ferjancic wrote: > Hi guys, > > I have to admit that i am fairly new to this topic, especially new to erl= ang. Currently i am trying to play around with the various authentication h= andlers - goal is to have a working "delegated authentication" on facebook,= twitter and such. > > 1) as far as i understood the oAuth implementation of couchdb is just the= opposite i need - you can use that to create tokens for couch-users, but n= ot to accept twitter accessTokens/secrets and map that to a couch user > 2) i found exactly what i need in datacouch - authentication against twit= ter with nodejs, and after that getting the plaintext password from a priva= te couch and use it with _session-API to create a couch cookie. > 3) i modified the sample a little bit and used everyauth to handle the de= legated authentication. I map the userinfos i get from facebook etc. agains= t user profiles in a private db, which also contains the user passwords (un= fortunately still in plaintext). Works perfectly, but..... > > Now i am trying to avoid storing the plaintext passwords. I heard about t= o use proxy_authentification_handler, but it seems i am too stupid to use i= t. I made the (as far as i understood) correct entries in couch_httpd_auth > > couch_httpd_auth =A0 =A0 =A0 =A0auth_cache_size > 50 > x > authentication_db > _users > x > authentication_redirect > /_utils/session.html > x > require_valid_user > false > x > secret > xxxxxxxxxxxx > x > timeout > 43200 > x > x_auth_roles > roles > x > x_auth_token > token > x > x_auth_username > uname > > > and also in httpd > httpd =A0 allow_jsonp > true > x > authentication_handlers > {couch_httpd_auth, proxy_authentification_handler},{couch_httpd_auth, coo= kie_authentication_handler}, {couch_httpd_auth, default_authentication_hand= ler} > x > bind_address > 127.0.0.1 > x > default_handler > {couch_httpd_db, handle_request} > x > port > 5984 > x > secure_rewrites > false > x > vhost_global_handlers > _utils, _uuids, _session, _oauth, _users > > When i now do a GET on http://localhost:5984/_utils/config.html?uname=3Du= ser1&roles=3Duser that seems to doesn't lead to anything... > > Anybody ever got that thing running? Am i missing something? Or is there = any chance to implement a custom authentication handler without coding erla= ng? > > Thanks for your help > Michael > The proxy_oauth_header is simply a way to pass the credentials of a user from your app to couchdb. Tou do that by passing specific headers to CouchDB and the handler create the userCtx. Headers name can be defined in local.ini. By thefault they are : * X-Auth-CouchDB-UserName : contain the username, (x_auth_username in couch_httpd_auth section) * X-Auth-CouchDB-Roles : contain the user roles, list of roles separated by= a comma (x_auth_roles in couch_httpd_auth section) * X-Auth-CouchDB-Token : token to authenticate the authorization (x_auth_token in couch_httpd_auth section). This token is an hmac-sha1 created from secret key and username. The secret key should be the same in the client and couchdb node. s ecret key is the secret key in couch_httpd_auth section of ini. This token is optional if value of the proxy_use_secret key in couch_httpd_auth section of ini isn't true. Hope it helps. - beno=EEt