[development] Token-based web service authentication to core
Benson Wong
tummytech at gmail.com
Wed Jan 25 07:48:52 UTC 2006
On 1/24/06, Arnab Nandi <arnabdotorg at gmail.com> wrote:
> >
> > I think you could build a Kerberos module.
> >
>
> The current popular option for most kerb + php set ups I've seen (like
> one in my univ, which runs horde/imp) is to use standard auth systems
> to authenticate, and pass on HTTP headers with authentication tokens
> to the PHP script. Seems to work ok.
>
> -Arnab
>
>From what I've seen Kerberos isn't a simple thing to implement. See:
http://web.mit.edu/kerberos/www/dialogue.html which is a good high
level overview of the system (and it's still a little confusing).
After reading the Kerberos link above again, it raised an interesting
issue about mutual authentication. In terms of the web service, how
can the client be sure that it's sending it's crudentials to the right
server. Rather than overkilling the solution, in my mod to the xml-rpc
system I made it tie into Drupal's authentication using
user_authenticate().
So web service authentication isn't much different from logging into
the website through user/login. The session key is returned and
instead of being passed as a cookie, is passed in the URL. In terms of
security this isn't much less secure than regular PHP sessions. The
exception is the web server log files. You will probably wind up with
a lot of /xmlrpc.php?token={secret}. Not too big of a deal, unless
your server gets compromised and somebody steals the keys that are
still valid. Mind you, if they have access to your httpd logs, your
probably have bigger problems than a few compromised session keys.
Also the above would work seamlessly with HTTPS, which would be an
easy way protect the data from sniffing.
--
blog: http://www.mostlygeek.com
More information about the development
mailing list