[PATCH] OAuth 2.0 Bearer authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 31 Jul 2014 21:29:06 +1200

RFC 6750 OAuth 2.0 Authorization Framework: Bearer Token Usage

The attached patch adds a minimal implementation of Bearer
authentication scheme to Squid. It consists of three components:

1) Squid build system infrastructure for building Bearer authentication

2) A testing fake-auth helper (bearer_fake_auth).

Helper which takes Bearer helper input an always returns OK.

3) Bearer authentication library ("module") for Squid.

 * implements the logics for squid.conf "Bearer" auth_param scheme and
necessary configuration options.

 * implements the helper management and API for Bearer helpers.

 * implements logics for www-auth and proxy-auth header parsing and
generating.

At present no restriction between HTTP and HTTPS is defined by Squid.
Challenges will be made for both. It is left to the client to ensure
adequate security on the connection it sends Bearer tokens.

 * implements helper driven TTL for token caching.

Due to significant security risks with Bearer tokens the TTL is not
configurable from squid.conf. Instead the helper is expected to provide
a ttl= parameter from the auth backend explicitly determining the time
in seconds for which each response may be cached and re-used. In absence
of ttl= value the helper response is treated as already expired (a nonce).
 A garbage collection TTL "cleanup_interval" is configurable and removes
cache entries which have been stale for at least 1 hr.

 * uses a default token scope of "proxy:HTTP" for generic HTTP proxies

NOTES:
 * At present no web browsers implement Bearer authentication in
response to a proxy-authenticate challenge.
  - However some of the common browsers should support Bearer
authentication with reverse proxies over HTTPS (Firefox and IE
apparently, not Chrome).
  - command line tools and AJAX / XHR implementations which allow header
customisation can be scripted to support Bearer.

 * This is only a minimal implementation, emitting only the realm= and
scope= parameters to clients.
 - The key_extras mechanism can be used to pass extension client request
parameters to the Bearer helper.
 - Extension parameters in Squid responses is not supported.

 * Bearer authentication to cache_peers is not supported explicitly.
  - implicit support exists with login=PASSTHRU, which may be used to
relay Bearer tokens for SSO to multiple proxies.

Amos

Received on Thu Jul 31 2014 - 09:29:37 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 31 2014 - 12:00:12 MDT