Forum OpenACS Q&A: Re: New mini-package: auth-hash

Collapse
Posted by Andrew Grumet on
I'll try to look at this code when I can come up for air from the Sloan upgrade.

Two quick thoughts without having looked at the code:

a) This sounds like it could be implemented as an external authentication method in acs-authentication, if it isn't already.

b) Below a slightly more complicated variant that I believe is more secure because no secrets are ever passed.  Downside is it's a bit more complex.  I've implemented it a couple of times and its not too bad.

i) User logs in to campus network

ii) Campus network generates a unique but otherwise random string, saves it plus the user id plus a timestamp and redirects user to OACS with the random string as a URL argument.

iii) OACS issues a backend GET request to campus network with the random string.  Campus network maps random string to user id and timestamp.  If everything checks out, campus network returns user id.

iv) OACS maps campus user id to local user id, and logs user in.

Collapse
Posted by Cathy Sarisky on
Andrew, that does sound better, but it is unfortunately that was more than I could really ask for the remote admin.

This sounds like it could be implemented as an external authentication method in acs-authentication, if it isn't already.
It isn't, but I'm looking at doing so.