Re: [naviserver-devel] ns_conn auth

Sat, 21 Nov 2020 13:54:18 -0800

Look at "Authorization: Basic d2lraTpwZWRpYQ==" it is just two tokens, but the content is decoded and returned in the ns_set a user and password. Here is an example of the digest authorization header 

         Authorization: Digest username="Mufasa",
                 realm="testre...@host.com",
                 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                 uri="/dir/index.html",
                 qop=auth,
                 nc=00000001,
                 cnonce="0a4f113b",
                 response="6629fae49393a05397450978507c4ef1",
                 opaque="5ccc069c403ebaf9f0171e9517f40e41

The ns_set will contain the fields named in plaintext.

Here is some other example with from AWS:
|Authorization: AWS4-HMAC-SHA256 Credential="AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request", SignedHeaders=host;range;x-amz-date,Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024|
||One can get in the case the values directly from the incoming set (this works always) 

||||

   set auth_header [ns_set iget [ns_conn headers] Authorization ""]
   if {[regexp {^(\S+)\s+(.*)$} $auth_header . AuthMethod value]} {
      set dict [ns_parsefieldvalue $value]
   }
   # {Credential AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request} 
{SignedHeaders host range {} x-amz-date {}} {Signature 
fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024}
This is not much code. Actually, in the provided examples from Amazon, the "Credential" token is not quoted, but according to https://tools.ietf.org/html/rfc7230#section-3.2.6, the token field value containing a "/" must be quoted. Oh, well.
In another example of a HTTP-HMAC (https://docs.acquia.com/personalization/api/hmacv2/), the values are nicely quoted and therefore also parse-able via ns_parsefieldvalue: 

   Authorization: acquia-http-hmac 
realm="AcquiaLiftWeb",id="Ra9YgrsKAcXDLMexg44N",nonce="d1954337-5319-4821-8427-115542e08d10",vesion="2.0",signature="R6y7kWkBnUdcSNXMxh4Vib6wSSHYKY4srCA1d4unW78="
In the "Bearer" case this is different, but much simpler, and not further structured: 

|Authorization:BearerAbCdEf123456|
We could consider to decode the provided token on the fly, ... but then we would get binary values in the set. it is more convenient to with the b64 value and decode, when needed. 

all the best
-g


_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel






















					Reply via email to