httpauth Digest Authentication

Status

• Blocked by missing core module features. See section "Blockers"
• Implementation: See core review 603

Blockers

This task is blocked since HTTP-Auth requires the server to store the md5 hash of "$username:$realm:$password" (or the password in cleartext).

• This requires a "your password has expired" feature built into G2 such that G2 can build new hashes
  • And this requires a storage for multiple hash-algorithm - password-hash pairs per user, which could be used by integrations as well

Problem

The current version of the httpauth module has a few weaknesses:

• Passwords transmitted in cleartext on every request.
• No automated logout, no session expiration.
• No distinction between active and passive authentication.
  • Active: User should be prompted for the password.
  • Passive: The browser transmits auth data on the user's behalf (e.g. a sessionId).
• Thus no real login event
• No logout mechanism - just a workaround.

Goal

Solve all the above mentioned problems by replacing the Basic authentication scheme with Digest Authentication.

With Digest authentication a nonce is associated with every HTTP-auth session. This nonce and HTTP-session have the same properties as a G2 session-id and Gallery session respectively. We can thus treat HTTP-auth the same way as normal Gallery sessions. The only difference being that the nonce is transmitted via the Authorization header while the session-id is transmitted via the Cookie header or a GET parameter.

Outline

• Use the GallerySession id as nonce.
• When sending the challenge to client, create a new GallerySession and send nonce = sessionId.
• Verify a HTTP auth request by loading the GallerySession by sessionId (nonce)
  • Reject authentication if the session has expired
  • Reject authentication if the user/password/nonce hash from the request don't match
  • Reject authentication if the username from the request does not match the userId from the loaded GallerySession.
• Always generate a new nonce (sessionId) when sending a new challenge.
  • Do not accept the same nonce for multiple authentication attempts.
• Fire login event on initial login
• Fire failed login events on failed login attempts.

Implementation Details

Sending a Digest Authentication Challenge

1. Create persistent GallerySession for anonymous user to get a nonce (sessionId)
2. Set "digest_auth_challenge" attribute as session data.
3. Send HTTP 401 response with nonce
4. Client sends response (hashes + username + echoing nonce)
5. Load GallerySession by nonce (which does an implicit session expiration check)
6. Verify hashes from authorization header.
7. Verify that either
   1. userId from session corresponds to the username from the request or
   2. session has digest_auth_challenge flag set
8. If the verification fails, delete the session and send a new challenge request
9. If the digest_auth_challenge flag is set,
   1. trigger a login event,
   2. Change the active user in the session to the username from the request and
   3. Remove the digest_auth_challenge flag from the session

Note that the cryptographic requirements are the same for the nonce and the session-id. Therefore there is no need for a nonce-sessionId map.

• Set "stale" to FALSE in challenge where we wish to see active auth (and send a new nonce)
• Set "algorithm" to "MD5" in the challenge
• Set "domain" in challenge to cookie-path (absolute URL) to ensure that responses aren't sent to non-g2 sites on the same domain
• TODO: add "qop" and "cnonce" in future

References

• http://www.ietf.org/rfc/rfc2617.txt
• http://en.wikipedia.org/wiki/Digest_access_authentication
• http://frontier.userland.com/stories/storyReader$2159
• Implementations:
  • http://www.peej.co.uk/projects/phphttpdigest.html
  • http://www.xiven.com/sourcecode/digestauthentication.php
  • http://pear.php.net/package/Auth_HTTP
• On BNF:
  • http://www.faqs.org/rfcs/rfc2234.html
  • http://www.faqs.org/rfcs/rfc822.html (Old Syntax for lists with 1#element)