Copyright © 2014 Jan Pazdziora
This text is also available as slides in PDF format.
- The only authentication option in 1996 when HTTP 1.0 came out.
- To remind you what it looked (looks) like:
Status code 401 Unauthorized. It means either
- no authentication was attempted;
- the [login, password] pair supplied with the HTTP request in the
Authorizationheader was wrong.
Basic Authentication: Pros
- Access protection for static content as well.
- Completely handled via HTTP server configuration.
- No logic needed in the content (in CGI).
User identifier can be consumed in CGI scripts via REMOTE_USER environment variable.
- Similar mechanisms used for other execution frameworks.
- Or dedicated method calls (
- Various authentication providers emerged, including databases and LDAP lookups.
Basic Authentication: Cons
- One 401 status for both "please enter login and password" and "you probably mistyped password" situations.
- Suboptimal UI in browsers: one popup window type, ending loop with Cancel, no logout (forget credentials) functionality.
- Optional authentication hard to achieve.
- Nothing beyond [login, password].
- Digest introduced by HTTP 1.1 did not address either concern.
Authentication in applications
- Basic Authentication was used heavily.
- But developers and users wanted more.
- Especially better control and user experience.
- Codified ex-post, based on real-life implementations in browsers.
- Originally intended for small customizations and user preferences.
Cornerstone of authentication in today's web applications.
- Applications handle logon form POST submissions or other authentication process, including anonymous users.
- Applications create sessions internally, HTTP response carries
Set-Cookieheader with session identification.
- Cookie sent by browser with each subsequent HTTP request in the
- The authentication decision has moved to applications completely.
- Applications manage their own (DB) schemas of users, groups, roles.
- Who remembers
REMOTE_USER? Who needs
- Server's 401 HTTP response contains
- Browser tries to get Kerberos service ticket and use the GSSAPI data in
- No prompting. (But no confirmation either.) Effectively, single-sign-on.
- In Apache supported by mod_auth_kerb, outside of application.
- Application might not have access to the keytab needed to verify the GSSAPI data.
- Application gets the authentication result.
- Cookies still useful — you want to avoid negotiate on each request.
Other authentication mechanisms might need to use credentials and storage that HTTP server (Apache) has access to but the application does not.
- SSL client authentication.
- Security Assertion Markup Language (SAML).
- There can be additional checks about account's validity (PAM).
- They all might or might not be needed (supported, enabled, configured) in a particular deployment of each web application.
- Is it time to move the authentication decision back in front of the web application?
- Bring back
Overview of existing modules
|Authentication Method||Apache Authentication Module|
|Pure Application Level||None|
|Kerberos SSO (ticket)||mod_auth_kerb|
New life for GSSAPI/Kerberos
- Module mod_auth_gssapi by Simo Sorce.
- Replacement of mod_auth_kerb using only GSSAPI calls.
Original mod_auth_kerb configuration:
LoadModule auth_kerb_module modules/mod_auth_kerb.so AuthType Kerberos KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab
LoadModule auth_gssapi_module modules/mod_auth_gssapi.so AuthType GSSAPI GssapiCredStore keytab:/etc/http.keytab
- Recent MIT krb5 and Apache HTTP server 2.4 needed.
System Security Services Daemon
- Authentication and identity services on operating system level.
Host-based access control (HBAC) when used with IPA server.
or user groups
or host groups
(ssh, ftp, sudo, ...)
Mix them into rules sssd can consult IPA to check access
- IPA is centralized identity, authentication, and authorization provider.
- Other access control schemes possible, depending on the identity source against which sssd is configured.
pam_sss.somakes sssd services available via PAM.
PAM for Web applications
- Apache module mod_authnz_pam. For 2.2 and 2.4.
- PAM-based authorization of users authenticated by other modules.
requires pam-account <PAM-service-name>
pam_sss.soand sssd against IPA, HBAC check will be done.
- HBAC service name has to match the PAM service name.
- Use any service name you want: crm-prod, wiki-test, intranet, ...
- Especially useful for SSO that should not reach applications.
- Use as Basic Authentication provider also possible:
AuthBasicProvider PAM AuthPAMService tlwiki
PAM for applications' logon forms
- Provided by Apache server: mod_intercept_form_submit.
|Logon form submission|
|Module||Module intercepts the POST HTTP request|
PAM auth is run with [login, password] pair
|Authentication passes||Authentication fails|
|Application||Consumes ||Gets chance to authenticate internally|
PAM for apps' logon forms (cont'd)
- No 401 status ever.
- The same look of the logon screen, authenticating against central identity provider.
<Location /app/login> InterceptFormLogin user_fld InterceptFormPassword passwd_fld InterceptFormPAMService <PAM-service-name> </Location>
|Authentication Method||Apache Modules|
Additional user information
- Web applications nowadays need more than just login name.
Additional attributes for nice user experience, as well as authorization.
- Email address, full name, phone number, ...
- Group membership.
- For centrally-managed users, these should come from the central identity provider.
- Especially when applications autocreate user records.
- Module mod_lookup_identity uses D-Bus interface of SSSD to retrieve additional data about authenticated users.
Additional user information (cont'd)
Proposing other environment variables beyond
LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr givenname REMOTE_USER_FIRSTNAME LookupUserAttr sn REMOTE_USER_LASTNAME
LookupOutputGroups REMOTE_USER_GROUPS :
|Authn Method||Apache Modules|
|Authentication||Access Check||Extra User Info|
External authentication in applications
- Web applications should re-learn to accept
- Some changes to support the external authentication and identity are typically needed in application code.
- The reward is much richer matrix of possible deployments.
- Use of the same HBAC mechanism that enterprises use for OS.
- Django being investigated.
- PAM for access to central authentication provider.
- New variables for additional
- Can we agree on variable names? Less work for application developers.
- By no means should applications drop their existing functionality that served them well, this is merely an additional possibility.
Your favorite application or framework not supporting
- While we might not be able to add the feature ourselves, we will be happy to help people.
- Explore the modules, let us know what you think.
- Jan Pazdziora <firstname.lastname@example.org>