On Thu, 2015-02-19 at 15:36 +0100, Nikos Mavrogiannopoulos wrote: > On Thu, Feb 19, 2015 at 12:09 PM, David Woodhouse <dwmw2 at infradead.org> wrote: > > On Thu, 2015-02-19 at 10:06 +0100, Nikos Mavrogiannopoulos wrote: > >> Note that I've not generalized authentication outside spnego, mainly > >> intentionally as I have no way to test it. > > I really do want to see that generalised. It's not so hard to test it. > > Just have a completely unrelated URL elsewhere which requires > > authentication of whatever kind, and when you've authenticated you get > > an HTTP redirect to the real ocserv URL. > > Not only will that allow us to test other auth methods, it'll also allow > > us to test the case of authenticating with GSSAPI to more than one > > server -- which might happen in load-balancing scenarios. > > The latter is orthogonal to the first one. For the latter we need to > support alternative keytab. No, I don't think so. It's the same TGT, just different target servers. Consider the case where I authenticate with HTTP to server ocserv1.example.com only to receive an HTTP redirect to ocserv2.example.com which *also* wants me to authenticate. It's mostly just a case of resetting the authenticator state at the right time, when we're redirected to a new host. > For the first we need to add support for > the headers of the other authentication methods. I could do the > latter, but I'm really not inclined to spend time for the former. It > is not easy to implement and test (for me at least) and I have no use > case for it. This shouldn't require duplicating effort. The problem is that you haven't modelled your SPNEGO support around what we already have. Take a look at the retry loop in process_http_proxy(). I would prefer the HTTP authentication to look similar to that ? where you currently detect WWW-Authenticate: headers in process_http_response(), make that look more like the proxy_hdrs() function. When do_https_request() sees a 401 response, make it jump back to the redirect: label to try again. And add something akin to the if(auth) part of process_http_proxy(), which will attempt to generate an Authorization: header, and fail the request if all the auth options have been exhausted. If you actually make *use* of the code which I'd already designed to be fairly generic, rather than doing things differently, this should be fairly easy. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150219/a3b5768f/attachment.bin>
