[undertow-dev] AuthenticationMechanism, ChallengeResult and Response Code
Darran Lofthouse
darran.lofthouse at jboss.com
Fri Dec 20 05:44:51 EST 2013
Thanks for the clarification Bill.
So in your case we know in advance that there is a single mechanism
which should be the only mechanism sending challenges and at least one
more mechanism that can perform the authentication without the need to
send challenges.
I am just wondering for this scenario if we can handle this better
during registration of the mechanisms rather than at runtime processing
a request.
Regards,
Darran Lofthouse.
On 20/12/13 00:12, Bill Burke wrote:
>
> On 12/19/2013 12:13 PM, Darran Lofthouse wrote:
>> Coming back to this topic ;-)
>>
>> The reasons I believe it is the authenticate method that should signal a
>> mechanism wants exclusivity in sending a challenge are: -
>>
>> 1 - This method already returns one of three values to indicate it's
>> authentication state, adding one more value to indicate that a mechanism
>> has started authentication but wants exclusivity would fit with this.
>>
>> 2 - The mechanism doesn't need to be first just to be able to request
>> exclusivity - also not going to cause a complication if another
>> mechanism had added it's challenge as that would not be able to happen.
>>
>> 3 - In general we should try and avoid writing mechanism that only work
>> alone (depending on various constraints), having a sendChallenge that
>> always requested exclusivity would go against this - whereas a mechanism
>> detecting it wants exclusivity in the authenticate stage would be valid
>> as remaining mechanisms would still be usable for the times it does not
>> request exclusivity.
>>
>
> #3 just doesn't work for me.
>
> I have two mechanisms for keycloak:
>
> A) Bearer token mechanism that uses the Authorization header and
> challenges with a 401 and WWW-Authenticate
> B) OAuth browser redirection mechanism, that challenges with a 302 and a
> Location header. This is a redirect to the authentication server where
> it will display a login form.
>
> Mechanism (B) will not ever request exclusivity during the authenticate
> phase because keycloak also allows for (A) in the same deployment.
> Mechanism (B) will not ever be able to challenge if it can't set a 302
> response code. I worry that if other mechanisms add WWW-Authenticate
> headers to a 302 response, it may confuse the user-agent, but this worry
> might be bogus.
>
> So, I don't agree with #3's statement that "having sendChallenge that
> always requested exclusivity would go against this". Mechanism (B)
> works with a other mechanisms as long as the user-agent is doing
> preemptive authentication.
>
> Whether Keycloak is successful or not is besides the point. The use
> case where an auth mechanism needs to redirect to another machine to
> display a login form is a valid one.
>
>
> Bill
>
More information about the undertow-dev
mailing list