mod_auth_tkt for lighttpd
I've been looking for a single-signon method that would work with lighttpd. mod_auth_tkt (http://www.openfusion.com.au/labs/mod_auth_tkt/) is the latest version of a single-signon framework for apache. The ticket creation step can be done by any CGI script (accessing user information in some repository), and the runtime ticket validation (authentication) is performed by the mod_auth_tkt apache module. The ticket can also carry token strings to authorize access to particular resources. Since ticket validation performs calculations (MD5 hashing and string comparisons) rather than file or database access, it would be lightweight.
Is there any interest or activity to provide something like this for lighty? I've been migrating sites from apache to lighttpd, but would need support for mod_auth_tkt or something similar to move others. Using a ticket for authentication and authorization is an appealing idea: no more htpasswd or .htaccess files, and no repository queries from the web server authentication module.
Updated by Anonymous over 12 years ago
Replying to firstname.lastname@example.org:
Is there any interest or activity to provide something like this for lighty?
I'm porting mod_auth_tkt to lighttpd. For now my port correctly checks tickets, renews them and does redirects. Features that are not ported yet include setting and parsing 'back' links, handling guest users and sending tickets as query between web-servers.
Updated by tai almost 9 years ago
- Target version set to 1.5.0
I noticed this ticket while looking into mod_auth_tkt for Apache.
While not compatible in data format, "mod_auth_cookie for lighttpd" which I wrote
about a month ago has almost same feature as mod_auth_tkt. It works with 1.5.x, so
anyone who is in need for single sign-on might want to try it.
Updated by gstrauss almost 3 years ago
- Description updated (diff)
4b3a91e6 creates an extensible interface for auth backends, so this patch might now be written to integrate with mod_auth, and a custom error page (see server.error-handler config directive) intercept 401 Unauthorized responses to redirect to login page
Updated by gstrauss over 1 year ago
- Priority changed from Normal to Low
A decade ago, a substantial amount of work went into this contribution. Thank you for that.
Is this module still relevant compared to various single sign-on mechanisms that have emerged since, e.g. SAML and OAuth?
Given that, is there still interest in this module today? lighttpd mod_auth framework has been rewritten and so a fair bit of work would be needed to integrate with the current version of lighttpd.
Would anyone use this if it were ported to lighttpd 1.4.53?
Last reference I found (from a quick search) was to https://github.com/tai/mod-auth-ticket-for-lighttpd, last updated 5 years ago.
I started looking at mod_auth_tkt and it has some memory leaks.
mod_auth_ticket is different and has unbounded memory use for tickets, and also loses state if the lighttpd server is restarted. I'll see about posting some of my (untested) play patches later -- I largely rewrote it to address the unbounded memory use and inefficient buffer use, but have not looked at changing how the state is stored.
- Status changed from Need Feedback to Fixed
- Target version set to 1.4.x
I just posted a real port of Apache mod_auth_tkt to lighttpd: https://github.com/gstrauss/lighttpd-mod_authn_tkt
(currently must be built against lighttpd master, but will compile with lighttpd 1.4.53 once that version is released)
Note: Apache mod_auth_tkt (https://github.com/gavincarr/mod_auth_tkt) is licensed under the Apache License 1.0, which is incompatible with numerous common open source licenses, including BSD 3-clause license used by lighttpd. Therefore, this module is not eligible for distribution with lighttpd under the BSD 3-clause license.
There continue to be some pretty big limitations to mod_auth_ticket, even if I posted compilable code to https://github.com/gstrauss/lighttpd-mod_auth_ticket
The lighttpd mod_authn_tkt port of Apache mod_auth_tkt should be preferred (see above).
=== LIMITATIONS ===
NOTE due to these serious limitations, development is unlikely to continue.
Instead, please prefer lighttpd mod_authn_tkt port of Apache mod_auth_tkt:
- mod_auth_ticket stores tickets in lighttpd process memory
- unbounded memory use as new tickets are created, though freed after expire
- tickets do not survive lighttpd restart
- tickets are not usable across multiple server instances / machines
- mod_auth_ticket is not written to refresh cookies before cookie timeout
- mod_auth_ticket is not written to add expires= to cookie for timeout
- mod_auth_ticket is not written to use the lighttpd mod_auth framework
- mod_auth_ticket has unbounded memory use; expired tickets not deleted from mem
- mod_auth_ticket has inefficient buffer use
Also available in: Atom