Re: OAuth WRAP apache module

Thu, 14 Jan 2010 09:51:28 -0800

Relevant examples can be found in the source, httpd-2.2.4/modules/aaa/ . 
Note that in this area there were significant changes between Apache 1.x
and Apache 2.x.

   In Apache 2, authentication and authorization is correctly
split between modules that interact with the client, implementing
protocols like basic auth, digest auth, or OAuth WRAP, and the
backend that actually verifies the credentials against a flat
file, a dmb, an SQL database, etc.  In this way, the mode that does
basic authentication doesn't have to be duplicated for different
modules which check that user/pass against various types of storage.

   OAuth WRAP itself, being a protocol for interaction with the client,
would be implemented similarly to basic authentication and digest
authentication, so the relevant examples would include:
httpd-2.2.4/modules/aaa/mod_auth_basic.c
httpd-2.2.4/modules/aaa/mod_auth_digest.c

   Apart from interacting with the client using OAuth WRAP,
you'll also probably want to check the validity of the token.
mod_authn_file.c and mod_authn_dbd.c would be examples of
that part.


I'm familiar with ... but not with Apache or Apache modules.
Could some one point me to the relevant documentation


   Though there is some documentation on apache.org, if you
want to quickly go from "not familiar with Apache" to "writing
robust Apache modules", the book may be useful to you.  It's
called "The Apache Modules Book".
--
Ray Morris
supp...@bettercgi.com

Strongbox - The next generation in site security:
http://www.bettercgi.com/strongbox/

Throttlebox - Intelligent Bandwidth Control
http://www.bettercgi.com/throttlebox/

Strongbox / Throttlebox affiliate program:
http://www.bettercgi.com/affiliates/user/register.php


On 01/14/2010 11:08:25 AM, Pedro Félix wrote:

Hi,

I want to develop an apache module for the OAuth WRAP protocol:
1) Upon an unauthenticated request, the module should return a 401 
with header "WWW-Authenticate: WRAP"

        2) When the request contains the header "Authorization: WRAP
access_token=<token>", the module should validate this token and extract the 
user name from it.

I already know the details of the WRAP protocol. My problem is how to
integrate this with Apache.
I'm familiar with architectures/pipelines for HTTP processing (e.g IIS or 
ASP.NET), but not with Apache or Apache modules.
Could some one point me to the relevant documentation or code
frameworks/samples?

Thanks
Regards
Pedro Félix

Reply via email to