Forum OpenACS Q&A: Re: New mini-package: auth-hash
Two quick thoughts without having looked at the code:
a) This sounds like it could be implemented as an external authentication method in acs-authentication, if it isn't already.
b) Below a slightly more complicated variant that I believe is more secure because no secrets are ever passed. Downside is it's a bit more complex. I've implemented it a couple of times and its not too bad.
i) User logs in to campus network
ii) Campus network generates a unique but otherwise random string, saves it plus the user id plus a timestamp and redirects user to OACS with the random string as a URL argument.
iii) OACS issues a backend GET request to campus network with the random string. Campus network maps random string to user id and timestamp. If everything checks out, campus network returns user id.
iv) OACS maps campus user id to local user id, and logs user in.
This sounds like it could be implemented as an external authentication method in acs-authentication, if it isn't already.
It isn't, but I'm looking at doing so.