aleitner commented on code in PR #973:
URL: https://github.com/apache/guacamole-client/pull/973#discussion_r1566566281
##########
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java:
##########
@@ -98,20 +104,43 @@ public class Credentials implements Serializable {
* The HTTP request associated with the authentication
* request.
*/
- public Credentials(String username, String password, HttpServletRequest
request) {
+ public Credentials(String username, String password,
+ HttpServletRequest request) {
this.username = username;
this.password = password;
this.request = request;
+ this.authenticationResumed = false;
+
+ if (request != null) {
+ // Set the remote address
+ this.remoteAddress = request.getRemoteAddr();
- // Set the remote address
- this.remoteAddress = request.getRemoteAddr();
+ // Get the remote hostname
+ this.remoteHostname = request.getRemoteHost();
- // Get the remote hostname
- this.remoteHostname = request.getRemoteHost();
+ // If session exists get it, but don't create a new one.
+ this.session = request.getSession(false);
+ }
- // If session exists get it, but don't create a new one.
- this.session = request.getSession(false);
+ }
+
+ /**
+ * Checks if the current authentication process is a resumed one.
+ *
+ * @return True if authentication is resumed, otherwise false.
+ */
+ public Boolean isAuthenticationResumed() {
Review Comment:
I tried to create a generic system for resumable authentication based on
query strings set by the authentication provider. The query strings are defined
by the authentication provider modules so that we can avoid accidental overlap.
https://github.com/apache/guacamole-client/blob/282a9111c779ed62ded043cf70cbcecf6f91120f/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java#L56-L61
Here is the order of events:
1. The user attempts to authenticate with the primary application.
2. If additional authentication is needed (e.g. Duo), the user is
temporarily redirected to an external service.
3. The primary application throws an error containing the necessary
information to resume the authentication session and redirects to the external
authentication service.
https://github.com/apache/guacamole-client/blob/282a9111c779ed62ded043cf70cbcecf6f91120f/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java#L126-L138
4. The primary application catches the error, stores the relevant
information in a map for retrieval, and marks the credentials so that we know
they need to be resumed.
https://github.com/apache/guacamole-client/blob/282a9111c779ed62ded043cf70cbcecf6f91120f/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java#L327-L334
5. The external authentication service performs its task (verifying the
user's identity) and then redirects the user back to the primary application
with special query string parameters that indicate the result of the
authentication process.
6. The primary application handles the redirected request. It checks the
query string parameters for a specific state parameter that matches a known
"resumable state."
https://github.com/apache/guacamole-client/blob/282a9111c779ed62ded043cf70cbcecf6f91120f/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java#L370-L433
7. On the primary application side, these states, along with information
such as provider identifiers and credentials, are stored in a map. This allows
the application to keep track of which authentication state corresponds to
which user session.
8. If a matching state is found and the state has not expired, the primary
application uses the stored credentials and information to resume the user's
authentication process.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
