mod_auth_tkt SSO authentication support
50 views
Skip to first unread message
pe...@koodaamo.fi
Apr 22, 2016, 3:06:00 AM4/22/16
to Crossbar
I have a web CMS (Plone) that supports mod_auth_tkt and would like to have Crossbar accept such cookies for authentication.
See for example http://www.openfusion.com.au/labs/mod_auth_tkt/ for more information, or just google.
FWIW, software libraries are available for various languages for generating and parsing mod_auth_tkt cookies.
Thanks,
Petri
Tobias Oberstein
Apr 22, 2016, 6:33:27 AM4/22/16
to cross...@googlegroups.com
Hi Petri,
It'll depend.
Say you have an existing Web application, where the HTML/CSS/JS is
served by Apache, and the user is authenticated there via mod_auth_tkt
Upon successful authentication, a cookie is set. For the origin of the HTML.
Now, say you have Crossbar.io running, and only used for
WAMP(-over-WebSocket).
You can have the JS read the cookie, and then use WAMP-Ticket
authentication, forwarding the cookie value on the WAMP/WebSocket
connection to Crossbar.io.
Then you can have a custom, dynamic authenticator
https://github.com/crossbario/crossbarexamples/tree/master/authentication/ticket/dynamic
that will get the cookie value as the ticket.
That authenticator code (of yours) then will need to check the cookie.
When the cookie value is cryptographically signed in itself, no further
communication is needed.
If its not (but it should be!), then the authenticator needs to talk to
your actual cookie/auth DB to check.
In the former case (if done right), you _can_ get away without secure
WebSocket. (However, replay attacks!)
In the latter, you MUST use secure WebSocket to make it secure.
But you should use secure WebSocket in general, and always anyway.
Does that help?
Cheers,
/Tobias
> --
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to crossbario+...@googlegroups.com
> <mailto:crossbario+...@googlegroups.com>.
> To post to this group, send email to cross...@googlegroups.com
> <mailto:cross...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/crossbario/a6ef6754-36ac-480e-9d8e-439cb26ea195%40googlegroups.com
> <https://groups.google.com/d/msgid/crossbario/a6ef6754-36ac-480e-9d8e-439cb26ea195%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
It'll depend.
Say you have an existing Web application, where the HTML/CSS/JS is
served by Apache, and the user is authenticated there via mod_auth_tkt
Upon successful authentication, a cookie is set. For the origin of the HTML.
Now, say you have Crossbar.io running, and only used for
WAMP(-over-WebSocket).
You can have the JS read the cookie, and then use WAMP-Ticket
authentication, forwarding the cookie value on the WAMP/WebSocket
connection to Crossbar.io.
Then you can have a custom, dynamic authenticator
https://github.com/crossbario/crossbarexamples/tree/master/authentication/ticket/dynamic
that will get the cookie value as the ticket.
That authenticator code (of yours) then will need to check the cookie.
When the cookie value is cryptographically signed in itself, no further
communication is needed.
If its not (but it should be!), then the authenticator needs to talk to
your actual cookie/auth DB to check.
In the former case (if done right), you _can_ get away without secure
WebSocket. (However, replay attacks!)
In the latter, you MUST use secure WebSocket to make it secure.
But you should use secure WebSocket in general, and always anyway.
Does that help?
Cheers,
/Tobias
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to crossbario+...@googlegroups.com
> <mailto:crossbario+...@googlegroups.com>.
> To post to this group, send email to cross...@googlegroups.com
> <mailto:cross...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/crossbario/a6ef6754-36ac-480e-9d8e-439cb26ea195%40googlegroups.com
> <https://groups.google.com/d/msgid/crossbario/a6ef6754-36ac-480e-9d8e-439cb26ea195%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages