External authentication with GLaDOS
Opened this issue · 3 comments
Hi
I love the possibility of pluggable authentication modules in GLaDOS. I would love to use alternate authentication schemes such as OAuth or certificate-based login with GlaDOS. To achieve this, the server should support external authentication. This authentication takes configurable header lines as identification tokens and creates appropriate accounts.
I would love to create exams for not yet existing accounts/tokens. When a user logs in and an exam exists for that user, it should just behave as if a token has been provided. In my specific case I would like to log in with mod_ssl and a client cert (config may be supplied if requred).
Regards
Martin
Hi Martin
The suggestion to bypass authentication to PAM is a good idea in the sense that it enables arbitrary authentication schemes. There is also a PHP package for this (http://pecl.php.net/package/PAM), but it's not supported anymore (last update 11 years ago)... OAuth was the next thing to tackle after LDAP is possible now. But you are talking about OAuth via PAM right?
Do I understand correctly that you second suggestion is authentication for students? So instead of providing a token, they provide a username and password in the dialog below (or a similar one)?
That's not supported until now, but it's a good idea. Maybe I can implement it for the next release (1.0.7/8). I will start to think about it.
The mod_ssl support is just a configuration from your webserver. To enable http via ssl, I have to point you to the documentation of apache. The configuration for glados is as follows:
If you run the system in auto discovery mode, you have to edit the avahi service file for glados in /etc/glados/glados.service. Adjust the service type and port:
<type>_https._tcp</type>
<port>443</port>
After restarting avahi, you can test that the server publicates the correct port/service with
avahi-browse -r --no-db-lookup _https._tcp
You should get some output after a while.
If you run the server in the configuration with a fixed configured IP adress on the exam client, please refer to http://docs.lernstick.ch/glados/client-config.html#exam-server-with-fixed-ip-address and adjust the two lines with the port and protocol:
gladosPort=443
gladosProto="https"
This should be it. I will write a manual for this, when I find the time. Notice that you need a valid certificate from an official issuer for this to work properly. If you use a self-signed certificate it gets much more complicated to propagate the trust chain to the client/into the exam.
I hope that helps.
Regards
Roman
Hi Roman
You got it pretty much. Sorry for not being more precise. mod_ssl offers more than "just encryption". With mod_ssl you may specify authentication of clients based on certificates. Wehn provided with such a certificate the student should be offered all currently available tokens so that he may select an exam to be taken.
Additional references may be found under here or here.
I would rather not go and implement all authentication schemes separately. Instead I would go for "external" authentication which opens all possibilities of available NGINX/Apache plugins. The trick is: The web server does the authentication and just sets the authenticated username into a header field. The application simply trusts this header. As the authentication header may vary from plugin to plugin so a mechanism is needed to configure the header used for mapping a user.
Was that better?
Regards
Martin
Hi Martin
Thanks for your clarifications. I see what you want to achieve and I made some tests and thoughts. I was able to set up an Apache with client certificate authentication and I successfully recieve the environment variables set by Apache for the request as you mentioned. Here you see an example output:
The key thing might be this:
So generally it should be possible to read out the identity from the certificate (respectively use one of the keys as the username), and then login the user by trusting this certificate (validated by apache machanisms) using the value of the SSL_CLIENT_VERIFY environment variable.
One thing that we have to think about is how to decide what role in glados the user should be in after login. There are currently two roles (admin and teacher). With this, we might need another role called student (which has only the permission to download assigned exams). I think the role of the user should also be provided in the certificate (again as a key called role or so). Another option is that the server could query an external source (such as an ldap server) for the role mapping.
Regarding the "external" authentication, this is pretty much the same procedure, I guess. Just that the evironment variable name for the authenticated user may be different, but I have not tried that so far to see an actual example. Nonetheless I think that the same question raises, that is how implement a mechanism to determine the users role in glados.
Regards
Roman