Hi Mohammad - I would consider looking into the following for adding a federation provider (federation providers do not take and validate credentials like authentication providers) in order to validate a token that represents a previous authentication event:
https://cwiki.apache.org/confluence/display/KNOX/2015/12/18/Adding+a+Federation+Provider+to+Apache+Knox Then use the HeaderPreAuth provider as an example to get to the headers and add the validation code to your impl. At the same time, it might make sense to consider a plugin model for the HeaderPreAuth provider to configure optional validation helpers that you could use. If that is the only difference then that might make a lot of sense. I am a little concerned about the statement that your network isn't secured. I assume that you will use SSL between the client and Knox. In addition, I would suggest that you look into setting up Knox to require client certs for mutual authentication [1]. Otherwise, anyone that intercepts a token can impersonate that user. Does that make sense? thanks, --larry 1. http://knox.apache.org/books/knox-0-11-0/user-guide.html#Mutual+Authentication+with+SSL On Thu, Jan 19, 2017 at 10:04 PM, Mohammad Islam <[email protected] > wrote: > Hi,I'm looking for a custom authentication solution in Knox for our > use-case.Let me explain the use case:For us, authentication related > information are passed as following custom HTTP headers: a) X-Auth-Token > : Client gets the encoded token after making some internal service call. > Knox server needs to retrieve this token from header and invokes a method > to authenticate the token b) X-Auth-User-Email : Client provides the > actual user email address. Server needs to parse to get the effective user > id. c) X-Auth-Source : The client's name for internal purpose > > Based on Larry's suggestion, I started with pre-auth-header for mainly b) > and c). I also configured identity-assertion to parse the email address to > get the user name. > However, our network is not secured or isolated. So pre-auth is not going > to work in its form. That's why, we include Auth-token(a) in header. My > question is how to add my custom code to authenticate the Auth-Token > passed in the header by client. Is there any example? > Regards,Mohammad >
