Services/Authentication: Difference between revisions

Jump to navigation Jump to search

Services/Authentication (view source)

Revision as of 02:08, 20 December 2011

1,183 bytes removed ,  20 December 2011
no edit summary
No edit summary
No edit summary
Line 98: Line 98:
= Configuration =
= Configuration =


To use the default authentication setup, you need only configure a user backend.  In your application config file, create an "auth" action like this:
To use the default authentication setup, you need only configure a user backend.  In your application config file, create an "auth" section like this:


     [auth]
     [auth]
Line 104: Line 104:
     sqluri = sqlite:////tmp/account.db
     sqluri = sqlite:////tmp/account.db


The default configuration will interrogate the backend to see what auth schemes it supports, and will provide all of them.
By default, the auth framework will interrogate the backend to determine what auth schemes it supports and will load repoze.who plugins for each scheme.


Finer control over the different stages of authentication can be achieved by configuring individual repoze.who plugins.  TODO link to config description.  For example the following configuration with authenticate against the user backend using *only* digest authentication.
Finer control over the different stages of authentication can be achieved by configuring individual repoze.who plugins.  The configuration syntax matches that of a [http://docs.repoze.org/who/2.0/configuration.html#configuring-repoze-who-via-config-file standalone repoze.who config file] except that it uses dotted section names prefixed with "who".  For example the following configuration will authenticate against the user backend using *only* digest authentication.


     [who.plugin.digest]
     [who.plugin.digest]
Line 123: Line 123:
     [who.authenticators]
     [who.authenticators]
     plugins = backend
     plugins = backend




Line 153: Line 151:


If the client provides valid credentials, the server may include headers in its response to acknowledge the successful authentication.  For example, it may set a session cookie.
If the client provides valid credentials, the server may include headers in its response to acknowledge the successful authentication.  For example, it may set a session cookie.
= Authentication Schemes =
 
 
= Supported Authentication Schemes =


== Basic ==
== Basic ==
Line 162: Line 162:


HTTP Digest Access Auth, as described in [http://www.ietf.org/rfc/rfc2617.txt RFC 2617].  The credentials dict contains all of the parameters from the Authorization header, along with "request-method" and "content-md5".  This makes the credentials self-contained so they can be verified by an aribitrary backend that may not have access to the metadata about the request.
HTTP Digest Access Auth, as described in [http://www.ietf.org/rfc/rfc2617.txt RFC 2617].  The credentials dict contains all of the parameters from the Authorization header, along with "request-method" and "content-md5".  This makes the credentials self-contained so they can be verified by an aribitrary backend that may not have access to the metadata about the request.
== SRP-MAC ==
A custom protocol designed to be better than Digest Auth, using the [http://srp.stanford.edu/ Secure Remote Password Protocol].
A combination of this SRP-HMAC proposal from bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=356855
And the MAC access protocol for OAuth2:  http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token


== BrowserID ==
== BrowserID ==


A custom protocol based on BrowserID/VEP.  The credentials dict contains "username" and "assertion", where "assertion" is a valid browserid assertion.
A custom protocol based on BrowserID/VEP.  The credentials dict contains "username" and "assertion", where "assertion" is a valid browserid assertion.
== Bearer Token ==
Something like signed cookies.  For login sessions etc. 
= Implementation Plan =
== User Backend API ==
Change the user backend API to support generic dicts of credentials, and to allow interrogation of the supported auth schemes.
Bug #TODO
== Add repoze.who to server-core ==
Replace the custom Authenticator class in server-core with one based on repoze.who.  It will load a default configuration by default, and look in the config file for overrides.
Bug #TODO
== Add shortcuts to mozsvc ==
Provide the mozsvc.user package to make things easier for pyramid apps.
Bug #TODO
== Add Auth Schemes to Sync Client ==
Patch the sync client in mozilla-central to support different authentication schemes.  Currently targeting just basic and digest.
Bug #TODO
== Add auth schemes to LDAP backend? ===
Make the necessary changes to let the LDAP backend authenticate with different schemes, e.g. digest-auth or browserid.
== Get Rid of LDAP? ==
Replace LDAP with something better, what has native support for these various auth schemes.
Rfkelly
Confirmed users
358

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/380206"

Navigation menu