Hi all,
With support for AJP becoming scarce, there has been a need to get information from an Apache httpd to a backend server (Tomcat, etc) in a secure way.
The following patch introduces two new modules:
- mod_auth_bearer: This provides bearer authentication, as described in RFC6750. A token can be received by Apache httpd, and accepted if recognised, and in addition a token can be generated by httpd, and sent to a backend server. This allows the details of a digital certificate to be passed securely to the backend, when the digital certificate has been terminated by httpd.
- mod_autht_jwt: RFC6750 does not mandate the type of token used, it can be anything. One such token supported is JWT, as implemented in mod_autht_jwt. We can verify incoming JWT tokens, and we can sign outgoing JWT tokens today using HS256, with more algorithms to come.
We introduce a new type of auth module: autht for authenticating tokens. A token can carry usernames, or IP addresses, or any metadata that might subsequently be used by authn or authz.
We depend on apr_jose support in apr-util v1.7, which in turn depends on secure apr_json support, and apr_crypto hashing functions.
This work (in APR and httpd) has been sponsored by NLNet as part of the Redwax Project at https://redwax.eu.
Example configuration to accept a token:
AuthType bearer
AuthName example-name
AuthBearerProvider jwt
AuthtJwtVerify hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret
Require valid-user
Example configuration to send a token to a proxy backend:
AuthBearerProxy %{JWT_TOKEN}
AuthtJwtClaim set sub %{REMOTE_USER}
AuthtJwtSign hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret
Work still to be done includes porting this to trunk, as well as documenting it properly. This will follow.
Regards,
Graham
—
With support for AJP becoming scarce, there has been a need to get information from an Apache httpd to a backend server (Tomcat, etc) in a secure way.
The following patch introduces two new modules:
- mod_auth_bearer: This provides bearer authentication, as described in RFC6750. A token can be received by Apache httpd, and accepted if recognised, and in addition a token can be generated by httpd, and sent to a backend server. This allows the details of a digital certificate to be passed securely to the backend, when the digital certificate has been terminated by httpd.
- mod_autht_jwt: RFC6750 does not mandate the type of token used, it can be anything. One such token supported is JWT, as implemented in mod_autht_jwt. We can verify incoming JWT tokens, and we can sign outgoing JWT tokens today using HS256, with more algorithms to come.
We introduce a new type of auth module: autht for authenticating tokens. A token can carry usernames, or IP addresses, or any metadata that might subsequently be used by authn or authz.
We depend on apr_jose support in apr-util v1.7, which in turn depends on secure apr_json support, and apr_crypto hashing functions.
This work (in APR and httpd) has been sponsored by NLNet as part of the Redwax Project at https://redwax.eu.
Example configuration to accept a token:
AuthType bearer
AuthName example-name
AuthBearerProvider jwt
AuthtJwtVerify hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret
Require valid-user
Example configuration to send a token to a proxy backend:
AuthBearerProxy %{JWT_TOKEN}
AuthtJwtClaim set sub %{REMOTE_USER}
AuthtJwtSign hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret
Work still to be done includes porting this to trunk, as well as documenting it properly. This will follow.
Regards,
Graham
—