mod_auth_tkt for lighttpd
I've been looking for a single-signon method that would work with lighttpd. mod_auth_tkt (http://www.openfusion.com.au/labs/mod_auth_tkt/) is the latest version of a single-signon framework for apache. The ticket creation step can be done by any CGI script (accessing user information in some repository), and the runtime ticket validation (authentication) is performed by the mod_auth_tkt apache module. The ticket can also carry token strings to authorize access to particular resources. Since ticket validation performs calculations (MD5 hashing and string comparisons) rather than file or database access, it would be lightweight.
Is there any interest or activity to provide something like this for lighty? I've been migrating sites from apache to lighttpd, but would need support for mod_auth_tkt or something similar to move others. Using a ticket for authentication and authorization is an appealing idea: no more htpasswd or .htaccess files, and no repository queries from the web server authentication module.
Updated by Anonymous over 11 years ago
Replying to firstname.lastname@example.org:
Is there any interest or activity to provide something like this for lighty?
I'm porting mod_auth_tkt to lighttpd. For now my port correctly checks tickets, renews them and does redirects. Features that are not ported yet include setting and parsing 'back' links, handling guest users and sending tickets as query between web-servers.
Updated by tai over 7 years ago
- Target version set to 1.5.0
I noticed this ticket while looking into mod_auth_tkt for Apache.
While not compatible in data format, "mod_auth_cookie for lighttpd" which I wrote
about a month ago has almost same feature as mod_auth_tkt. It works with 1.5.x, so
anyone who is in need for single sign-on might want to try it.
Updated by gstrauss over 1 year ago
- Description updated (diff)
4b3a91e6 creates an extensible interface for auth backends, so this patch might now be written to integrate with mod_auth, and a custom error page (see server.error-handler config directive) intercept 401 Unauthorized responses to redirect to login page
- Priority changed from Normal to Low
A decade ago, a substantial amount of work went into this contribution. Thank you for that.
Is this module still relevant compared to various single sign-on mechanisms that have emerged since, e.g. SAML and OAuth?
Given that, is there still interest in this module today? lighttpd mod_auth framework has been rewritten and so a fair bit of work would be needed to integrate with the current version of lighttpd.
Also available in: Atom