RFC 6750 OAuth 2.0 Authorization Framework: Bearer Token Usage

[yadij]

Adds a minimal implementation of Bearer authentication scheme to
Squid. It consists of three components:

1. Squid build system infrastructure for building Bearer
   authentication module and helpers.

2. Bearer authentication library ("module") for Squid.

• implements the logics for squid.conf "Bearer" auth_param
  scheme and necessary configuration options.

• implements the helper management and API for Bearer helpers.

• implements logics for www-auth and proxy-auth header parsing
  and generating.

3. An authentication helper which takes Bearer tokens needs to
   be implemented. No helpers are provided in this update.

At present no restriction between HTTP and HTTPS is defined by
Squid. Challenges will be made for both. Admin can configure
the protocol restriction on scheme challenges using auth_schemes
directive. Otherwise it is left to the client to ensure adequate
security on the connection it sends Bearer tokens.

• implements helper driven TTL for token caching.

Due to significant security risks with Bearer tokens the TTL is
not configurable from squid.conf. Instead the helper is expected
to provide a ttl= parameter from the auth backend explicitly
determining the time in seconds for which each response may be
cached and re-used. In absence of ttl= value the helper response
is treated as already expired (a nonce).

• uses a default token scope of "proxy:HTTP" for generic HTTP
  proxies

NOTES:

• At present no web browsers implement Bearer authentication in
  response to a proxy-authenticate challenges. However some of
  the common browsers should support Bearer with reverse
  proxies over HTTPS (Firefox and IE apparently, not Chrome).

  • command line tools and AJAX / XHR implementations which
    allow header customization can be scripted to support
    Bearer.

• This is only a minimal implementation, emitting only the
  realm= and scope= parameters to clients.

  • The key_extras mechanism can be used to pass extension
    client request parameters to the Bearer helper.
  • Extension parameters in Squid responses is not supported.

• Bearer authentication to cache_peers is not supported
  explicitly.

  • implicit support exists with login=PASSTHRU, which may be
    used to relay Bearer tokens for SSO to multiple proxies.

[yadij]

Status update: The branch has been updated, based on latest v7. It builds.

TODO:

• testing that it works as intended.

[yadij]

This PR is blocked on PR #774 as mentioned in #30 (comment)