- From: <tvaughan@aventail.com>
- Date: Thu, 15 Apr 1999 13:46:22 -0400 (EDT)
- To: "Nottingham, Mark (Australia)" <mark_nottingham@exchange.au.ml.com>
- Cc: www-talk@w3.org
Interesting. Thanks. Perhaps I should elaborate. What I am interested to know is, is there a (proposed) standard way to share user credentials among servers (within or not within the same domain) who do *not* share a common authentication back-end, but yet who *do* share a common user population? For example, let's say I have a reverse proxy that can authenticate users via challenge-response to a RADIUS server. And the origin server is a web server, with some CGI script that talks to a database. But this CGI script needs a user id to do what it does. This CGI script *could* do Basic or Digest Auth to get this user id, or the reverse proxy *could* send a user id to the origin server. My thinking was that perhaps the reverse proxy could send this user id as an encrypted cookie. And the trust relationship between the servers would be established by the sharing of the private key. I guess the proposed Digest Auth solution could be made to work, but that would require a shared secret on a per-user, not per-server basis, and would not allow the user credentials to contain anything other than a user id, like group memebership - provided I understand this correctly. Or is this too unique a situation to bother other people about? What motivated you to ask this question? Much Thanks, Tom "Nottingham, Mark (Australia)" <mark_nottingham@exchange.au.ml.com> writes: > I asked a similar question on HTTPwg a while back, and got a few interesting > responses. Check the mailing list. > > Probably the best is from Jim Gettys: > > >The revised digest authentication can be implemented to allow cross server > >sharing of authentication information (without the danger of stealing > >of one header allowing access to other servers), which should solve this > >problem (without the kluding of using a proxy to do the translations). > > > >The back end servers can communicate among themselves the authentication > >information with whatever protocol is appropriate (e.g. Kerberos). > > > >This was one of the major flaws in RFC2069, and is being fixed in > >the revision. Paul Leach had the idea that makes this feasible > >after 2069 was issued. > > > >Please look at a current draft of the revision to see the details. > > Digest auth definately has this capability, and is (more) secure. > Unfortunately, there still aren't many browsers who support Digest (haven't > checked with the latest, but if any of your users use even moderately old > ones, you're out of luck). > > Hope this helps, > > > > > -----Original Message----- > > From: tvaughan@aventail.com [mailto:tvaughan@aventail.com] > > Sent: Thursday, April 15, 1999 4:23 AM > > To: www-talk@w3.org > > Subject: user credential passing standard > > > > > > Is there a standard way to pass user credentials from one web > > server/proxy > > to another web server/proxy? Like encrypted cookies or something. > > > > -Tom > > > -- Tom Vaughan <tvaughan at aventail dot com>
Received on Thursday, 15 April 1999 16:39:37 UTC