mod_auth_tkt SSO authentication support

#1

I have a web CMS (Plone) that supports mod_auth_tkt and would like to have Crossbar accept such cookies for authentication.

So how would one support authentication cookie from an external system in Crossbar? Do I have to write a custom authenticator? There is a shared secret involved so that would have to be added to configuration settings as well, I guess.

See for example http://www.openfusion.com.au/labs/mod_auth_tkt/ for more information, or just google.

FWIW, software libraries are available for various languages for generating and parsing mod_auth_tkt cookies.

Thanks,

Petri

0 Likes

#2

Hi Petri,

It'll depend.

Say you have an existing Web application, where the HTML/CSS/JS is served by Apache, and the user is authenticated there via mod_auth_tkt

Upon successful authentication, a cookie is set. For the origin of the HTML.

Now, say you have Crossbar.io running, and only used for WAMP(-over-WebSocket).

You can have the JS read the cookie, and then use WAMP-Ticket authentication, forwarding the cookie value on the WAMP/WebSocket connection to Crossbar.io.

Then you can have a custom, dynamic authenticator

https://github.com/crossbario/crossbarexamples/tree/master/authentication/ticket/dynamic

that will get the cookie value as the ticket.

That authenticator code (of yours) then will need to check the cookie.

When the cookie value is cryptographically signed in itself, no further communication is needed.

If its not (but it should be!), then the authenticator needs to talk to your actual cookie/auth DB to check.

In the former case (if done right), you _can_ get away without secure WebSocket. (However, replay attacks!)

In the latter, you MUST use secure WebSocket to make it secure.

But you should use secure WebSocket in general, and always anyway.

Does that help?

Cheers,
/Tobias

···

Am 22.04.2016 um 09:06 schrieb pe...@koodaamo.fi:

I have a web CMS (Plone) that supports mod_auth_tkt and would like to
have Crossbar accept such cookies for authentication.

So how would one support authentication cookie from an external system
in Crossbar? Do I have to write a custom authenticator? There is a
shared secret involved so that would have to be added to configuration
settings as well, I guess.

See for example http://www.openfusion.com.au/labs/mod_auth_tkt/ for more
information, or just google.

FWIW, software libraries are available for various languages for
generating and parsing mod_auth_tkt cookies.

Thanks,

  Petri

--
You received this message because you are subscribed to the Google
Groups "Crossbar" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to crossbario+...@googlegroups.com
<mailto:crossbario+...@googlegroups.com>.
To post to this group, send email to cross...@googlegroups.com
<mailto:cross...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/crossbario/a6ef6754-36ac-480e-9d8e-439cb26ea195%40googlegroups.com
<https://groups.google.com/d/msgid/crossbario/a6ef6754-36ac-480e-9d8e-439cb26ea195%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes