[Twisted-web] Sessions and Authentication for Web2

Phil Mayers p.mayers at imperial.ac.uk
Sun Nov 27 14:31:41 MST 2005


David Reid wrote:
>>>  c) Exarkun expressed a strong (ok, mandatory) preference for the
>>>     use of tw.cred in any Authentication solution.  However, it was
>>>     noted that tw.cred does not allow for challenge-response
>>>     authentication mechanisms (which all of mine are).  Specific
>>>     examples were noted: twisted.protocols.sip, SASL, OTP
>>
>> Hmm.  How did you get this idea?  Cred's design was specifically to 
>> facilitate challenge-response authentication.  That's why login() 
>> takes credentials and returns a Deferred.  The assumption is that the 
>> credentials object will encapsulate whatever facets of the user's 
>> connection are required to do the negotiation process.
> 
> While it might be a valid assumption, there is no common public 
> interface provided to facilitate it.  Perhaps because no one knows what 
> that should look like, perhaps because no one felt it was necessary.  
> But I do believe that something like twisted.protocols.sip.IAuthorizer, 
> that allows for an arbitrary number of round trips should be in cred, 
> either the ICredentials interface should be extended (probably through a 
> subclass) or a new interface should be created.  I'm toying with some 
> ideas of how to best do this, but I don't really "get" cred so if you 
> have any requirements other than arbitrary number of round trips, let me 
> know so i can take those into account now rather than later.
> 

I've been thinking more about this and I can indeed now see a slight 
impedance mismatch that I haven't yet thought my way around. I got here 
from thinking about implementing Negotiate support using PyGSS.

Exarkun and I posted examples of how one might do arbitrary 
challenge-response by making the creds a proxy object to the protocol 
instance, and I waved my hands saying "HTTP is a bit more hard because 
of the statelessness / request-based nature of the protocol".

The best I've come up with that in theory supports >1 auth mechanism[1] 
is here:

http://deadbeefbabe.org/paste/2249

To "match" HTTP to t.cred, it seems the "credentials" *are* the HTTP 
request object (which in fact is true, given how the HTTP spec is worded 
I think?). There's then a checker that can "check" HTTP requests against 
sub-mechanisms, and if none work then one or all of them can challenge 
the request.

This seems somewhat hackish as the "checker" then has to know about 
"name: value" rfc2822-style protocol PDUs, as opposed to just the 
elements of the auth algorithm. It might be more palatable if you could 
somehow "chain" checkers - e.g. return an IDigestCreds from 
requestAvatarId, or maybe have some kind of 2-pass thing?

[FreeRadius has an interesting thing in it's "authorize" config section 
where you first pass the request through the "authorize" section to 
determine how to authenticate it (and optionally return there and then 
with challenges etc.) then pass it through just one module as defined by 
the auth-type. This will mean nothing to you unless you've seen it, but 
that's what I mean by 2-pass]

On the other hand, this is a very flexible system as it permits you to 
allow based on other portions of the request such as arbitrary headers, 
SSL cert for the TCP connection, and so on.

(Note to all: a load of the code is ripped from the t.p.sip code, so 
appropriate credit where it's due. The stateless nonce thing might be 
worth ripping though)

Comments welcome.

[1] t.w.http does not appear to allow you to set headers >1 time e.g.

WWW-Authenticate: basic realm="server.domain.com"
WWW-Authenticate: digest realm="...",foo="bar",...



More information about the Twisted-web mailing list