[VCL API] Roadblock: Authentication

[Akkaash Goel <ag...@ncsu.edu>]

Hello, 

I am working on a wrapper API for the XMLRPC API for VCL. 

I have run into a small issue:

	Since this API could potentially be used by other applications, is there a way to authenticate a user without the password being passed in every API call? Is there a way to instead use SSO mechanism such as Shibboleth?

Thanks for your help. 

—
Akkaash Goel
Graduate Student
Computer Science
NC State University

Re: [VCL API] Roadblock: Authentication

[Aaron Coburn <ac...@amherst.edu>]

Hi, Akkaash,

You're talking about delegated authentication. I have several applications that make use of the VCL API like this -- all in the context of Shibboleth. One of them is here: https://github.com/acoburn/moodle-block_vcl

I set this up quite some time ago, so I will try not to give you any misinformation, but basically, here's how it works -- it requires no core core code changes, but it does require some extensive configuration changes. (This is all for 2.3.2, I haven't upgraded the system to 2.4.x yet).

The issue is that in the context of shibboleth, the VCL doesn't know anything about users' passwords, so instead there needs to be some kind of back-channel shared secret. In the context of the shibboleth service provider, the application will know the username and affiliation for a given user. The application also stores (internally) a secret key -- this is set by configuration, and no user will have access to that. The user then makes a request to a page *within the service provider application* -- then, your application proxies the request to the VCL API, using the user's username and affiliation value (which comes from shibboleth) along with that authkey. It is very important that this request is not visible to a user -- don't use javascript.

Then, how does the VCL decide whether a request is valid. Here, there are several checks, all defined in the .ht-inc/conf.php and ./ht-inc/secrets.php files:

in secrets.php, define an array of tokens -- whatever datastructure makes sense for your use cases.

Then, in conf.php, make use of the $apiValidateFunc, which is a custom function that will validate API requests.

You can see an example of my conf.php file here: https://gist.github.com/acoburn/b89fb30e0ae948805997

The key point here is that there is an array of $shibauthtokens (defined in secrets.php) that holds valid keys. If the request contains one of these keys AND it is from a "trusted" source, then the validation passes (return 1). By trusted source, I mean the IP addresses defined in $authMechs[<affiliation>]["trusted"]. Otherwise, return 0.

The other point to mention is that you need to set ALLOWADDSHIBUSERS in conf.php:

define("ALLOWADDSHIBUSERS", 1);

Since many (most?) users making use of the external service will never actually login to the standard vcl GUI, so these api requests need to be able to add new users to the database.

Let me know if you have any questions.

Regards,
Aaron Coburn

> On Apr 23, 2015, at 3:00 PM, Akkaash Goel <ag...@ncsu.edu> wrote:
> 
> Hello, 
> 
> I am working on a wrapper API for the XMLRPC API for VCL. 
> 
> I have run into a small issue:
> 
> 	Since this API could potentially be used by other applications, is there a way to authenticate a user without the password being passed in every API call? Is there a way to instead use SSO mechanism such as Shibboleth?
> 
> Thanks for your help. 
> 
> —
> Akkaash Goel
> Graduate Student
> Computer Science
> NC State University