RE: OAuth WRAP apache module - attaching groups to a request

[Pedro Félix <pe...@cc.isel.ipl.pt>]

Hi,

First of all, thanks for the help.

In my journey to develop an OAuth Wrap extension to Apache's HTTPD, my
current question is:

	- A token received via the WRAP protocol can contain more
information that just a username. One example of this extra information are
groups, roles or permissions. The goal of my module is to process the token,
extract this information and associate it with the request, so that this
information is available to downstream modules or applications (e.g
subversion or trac).

	- A request record already has a place to put the username but not a
place for this extra information.

	- Apparently, the request_rec::notes table should be used to place
information that is going to be consumed by downstream modules. However, I
want this information to also be available to handler apps (e.g a trac
plugin).   

	- So, what is the best place to put this extra info? 

Thanks,
Pedro Felix


> -----Original Message-----
> From: Ray Morris [mailto:support@bettercgi.com]
> Sent: quinta-feira, 14 de Janeiro de 2010 17:51
> To: modules-dev@httpd.apache.org
> Subject: Re: OAuth WRAP apache module
> 
>    Relevant examples can be found in the source,
> httpd-2.2.4/modules/aaa/ .
> Note that in this area there were significant changes between Apache
> 1.x
> and Apache 2.x.
> 
>     In Apache 2, authentication and authorization is correctly
> split between modules that interact with the client, implementing
> protocols like basic auth, digest auth, or OAuth WRAP, and the
> backend that actually verifies the credentials against a flat
> file, a dmb, an SQL database, etc.  In this way, the mode that does
> basic authentication doesn't have to be duplicated for different
> modules which check that user/pass against various types of storage.
> 
>     OAuth WRAP itself, being a protocol for interaction with the
> client,
> would be implemented similarly to basic authentication and digest
> authentication, so the relevant examples would include:
> httpd-2.2.4/modules/aaa/mod_auth_basic.c
> httpd-2.2.4/modules/aaa/mod_auth_digest.c
> 
>     Apart from interacting with the client using OAuth WRAP,
> you'll also probably want to check the validity of the token.
> mod_authn_file.c and mod_authn_dbd.c would be examples of
> that part.
> 
> > I'm familiar with ... but not with Apache or Apache modules.
> > Could some one point me to the relevant documentation
> 
>     Though there is some documentation on apache.org, if you
> want to quickly go from "not familiar with Apache" to "writing
> robust Apache modules", the book may be useful to you.  It's
> called "The Apache Modules Book".
> --
> Ray Morris
> support@bettercgi.com
> 
> Strongbox - The next generation in site security:
> http://www.bettercgi.com/strongbox/
> 
> Throttlebox - Intelligent Bandwidth Control
> http://www.bettercgi.com/throttlebox/
> 
> Strongbox / Throttlebox affiliate program:
> http://www.bettercgi.com/affiliates/user/register.php
> 
> 
> On 01/14/2010 11:08:25 AM, Pedro Félix wrote:
> > Hi,
> >
> > I want to develop an apache module for the OAuth WRAP protocol:
> >
> > 	1) Upon an unauthenticated request, the module should return a
> > 401
> > with header "WWW-Authenticate: WRAP"
> >
> > 	2) When the request contains the header "Authorization: WRAP
> > access_token=<token>", the module should validate this token and
> > extract the
> > user name from it.
> >
> > I already know the details of the WRAP protocol. My problem is how to
> > integrate this with Apache.
> >
> > I'm familiar with architectures/pipelines for HTTP processing (e.g
> > IIS or
> > ASP.NET), but not with Apache or Apache modules.
> > Could some one point me to the relevant documentation or code
> > frameworks/samples?
> >
> > Thanks
> > Regards
> > Pedro Félix
> >
> >
> >