Project

General

Profile

Actions

Feature #426

closed

mod_auth_tkt for lighttpd

Added by Anonymous almost 19 years ago. Updated almost 6 years ago.

Status:
Fixed
Priority:
Low
Category:
mod_auth
Target version:
ASK QUESTIONS IN Forums:

Description

I've been looking for a single-signon method that would work with lighttpd. mod_auth_tkt (http://www.openfusion.com.au/labs/mod_auth_tkt/) is the latest version of a single-signon framework for apache. The ticket creation step can be done by any CGI script (accessing user information in some repository), and the runtime ticket validation (authentication) is performed by the mod_auth_tkt apache module. The ticket can also carry token strings to authorize access to particular resources. Since ticket validation performs calculations (MD5 hashing and string comparisons) rather than file or database access, it would be lightweight.

Is there any interest or activity to provide something like this for lighty? I've been migrating sites from apache to lighttpd, but would need support for mod_auth_tkt or something similar to move others. Using a ticket for authentication and authorization is an appealing idea: no more htpasswd or .htaccess files, and no repository queries from the web server authentication module.

-- bill


Files

mod_auth_tkt.tar.gz (14 KB) mod_auth_tkt.tar.gz Initial version of mod_auth_tkt for lighttpd griph, 2007-12-24 20:22
mod_auth_tkt-0.2.0.tar.gz (14 KB) mod_auth_tkt-0.2.0.tar.gz Corrected installation procedure griph, 2007-12-25 19:14
mod-auth-ticket-for-lighttpd-1.4.52.patch (4.19 KB) mod-auth-ticket-for-lighttpd-1.4.52.patch Buffer patches for mod-auth-ticket. flynn, 2018-12-26 16:05
Actions #1

Updated by Anonymous about 18 years ago

Replying to :

Is there any interest or activity to provide something like this for lighty?

I'm porting mod_auth_tkt to lighttpd. For now my port correctly checks tickets, renews them and does redirects. Features that are not ported yet include setting and parsing 'back' links, handling guest users and sending tickets as query between web-servers.

-- griph

Actions #2

Updated by tai over 14 years ago

  • Target version set to 1.5.0

I noticed this ticket while looking into mod_auth_tkt for Apache.

While not compatible in data format, "mod_auth_cookie for lighttpd" which I wrote
about a month ago has almost same feature as mod_auth_tkt. It works with 1.5.x, so
anyone who is in need for single sign-on might want to try it.

URL is http://github.com/tai/mod_auth_cookie-for-lighttpd .

Actions #3

Updated by gstrauss over 8 years ago

  • Assignee deleted (jan)
Actions #4

Updated by gstrauss over 8 years ago

  • Target version deleted (1.5.0)
Actions #5

Updated by gstrauss over 8 years ago

  • Description updated (diff)

4b3a91e6 creates an extensible interface for auth backends, so this patch might now be written to integrate with mod_auth, and a custom error page (see server.error-handler config directive) intercept 401 Unauthorized responses to redirect to login page

Actions #6

Updated by gstrauss about 7 years ago

  • Priority changed from Normal to Low

A decade ago, a substantial amount of work went into this contribution. Thank you for that.

Is this module still relevant compared to various single sign-on mechanisms that have emerged since, e.g. SAML and OAuth?

Given that, is there still interest in this module today? lighttpd mod_auth framework has been rewritten and so a fair bit of work would be needed to integrate with the current version of lighttpd.

Actions #7

Updated by gstrauss about 7 years ago

  • Status changed from New to Need Feedback
Actions #8

Updated by gstrauss almost 6 years ago

Would anyone use this if it were ported to lighttpd 1.4.53?

Last reference I found (from a quick search) was to https://github.com/tai/mod-auth-ticket-for-lighttpd, last updated 5 years ago.

Actions #9

Updated by flynn almost 6 years ago

Yes, me.

I ported already some parts to the new buffer interface of lighttpd and want to use with gitlab authenticator.

I hope I can make some further tests in a few days, maybe I can provide an example configuration setup for use with gitlab.

Actions #10

Updated by flynn almost 6 years ago

I just provide my current changes to the c-part as diff.

Actions #11

Updated by gstrauss almost 6 years ago

I started looking at mod_auth_tkt and it has some memory leaks.

mod_auth_ticket is different and has unbounded memory use for tickets, and also loses state if the lighttpd server is restarted. I'll see about posting some of my (untested) play patches later -- I largely rewrote it to address the unbounded memory use and inefficient buffer use, but have not looked at changing how the state is stored.

Actions #12

Updated by gstrauss almost 6 years ago

  • Status changed from Need Feedback to Fixed
  • Target version set to 1.4.x

I just posted a real port of Apache mod_auth_tkt to lighttpd: https://github.com/gstrauss/lighttpd-mod_authn_tkt
(currently must be built against lighttpd master, but will compile with lighttpd 1.4.53 once that version is released)

mod_authn_tkt

Note: Apache mod_auth_tkt (https://github.com/gavincarr/mod_auth_tkt)
      is licensed under the Apache License 1.0, which is incompatible
      with numerous common open source licenses, including BSD 3-clause
      license used by lighttpd.  Therefore, this module is not eligible
      for distribution with lighttpd under the BSD 3-clause license.

mod_auth_ticket

There continue to be some pretty big limitations to mod_auth_ticket, even if I posted compilable code to https://github.com/gstrauss/lighttpd-mod_auth_ticket
The lighttpd mod_authn_tkt port of Apache mod_auth_tkt should be preferred (see above).

=== LIMITATIONS ===

NOTE due to these serious limitations, development is unlikely to continue.

Instead, please prefer lighttpd mod_authn_tkt port of Apache mod_auth_tkt:
https://github.com/gstrauss/lighttpd-mod_authn_tkt

  • mod_auth_ticket stores tickets in lighttpd process memory
    • unbounded memory use as new tickets are created, though freed after expire
    • tickets do not survive lighttpd restart
    • tickets are not usable across multiple server instances / machines
  • mod_auth_ticket is not written to refresh cookies before cookie timeout
  • mod_auth_ticket is not written to add expires= to cookie for timeout
  • mod_auth_ticket is not written to use the lighttpd mod_auth framework
Prior version (https://github.com/tai/mod-auth-ticket-for-lighttpd)
  • mod_auth_ticket has unbounded memory use; expired tickets not deleted from mem
  • mod_auth_ticket has inefficient buffer use
Actions

Also available in: Atom