RFC 6750 OAuth 2.0 Authorization Framework: Bearer Token Usage#30
Open
yadij wants to merge 2 commits intosquid-cache:masterfrom
Open
RFC 6750 OAuth 2.0 Authorization Framework: Bearer Token Usage#30yadij wants to merge 2 commits intosquid-cache:masterfrom
yadij wants to merge 2 commits intosquid-cache:masterfrom
Conversation
rousskov
reviewed
Jul 25, 2017
rousskov
reviewed
Aug 1, 2017
rousskov
requested changes
Aug 5, 2017
rousskov
requested changes
Aug 5, 2017
c724a50 to
98c0381
Compare
This comment was marked as off-topic.
This comment was marked as off-topic.
8d98678 to
cbf18cb
Compare
This comment was marked as resolved.
This comment was marked as resolved.
a215e6b to
418f420
Compare
Contributor
Author
|
Status update: The branch has been updated, based on latest v7. It builds. TODO:
|
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Contributor
Author
|
This PR is blocked on PR #774 as mentioned in #30 (comment) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a minimal implementation of Bearer authentication scheme to
Squid. It consists of three components:
Squid build system infrastructure for building Bearer
authentication module and helpers.
Bearer authentication library ("module") for Squid.
implements the logics for squid.conf "Bearer" auth_param
scheme and necessary configuration options.
implements the helper management and API for Bearer helpers.
implements logics for www-auth and proxy-auth header parsing
and generating.
be implemented. No helpers are provided in this update.
At present no restriction between HTTP and HTTPS is defined by
Squid. Challenges will be made for both. Admin can configure
the protocol restriction on scheme challenges using auth_schemes
directive. Otherwise it is left to the client to ensure adequate
security on the connection it sends Bearer tokens.
Due to significant security risks with Bearer tokens the TTL is
not configurable from squid.conf. Instead the helper is expected
to provide a ttl= parameter from the auth backend explicitly
determining the time in seconds for which each response may be
cached and re-used. In absence of ttl= value the helper response
is treated as already expired (a nonce).
proxies
NOTES:
At present no web browsers implement Bearer authentication in
response to a proxy-authenticate challenges. However some of
the common browsers should support Bearer with reverse
proxies over HTTPS (Firefox and IE apparently, not Chrome).
allow header customization can be scripted to support
Bearer.
This is only a minimal implementation, emitting only the
realm= and scope= parameters to clients.
client request parameters to the Bearer helper.
Bearer authentication to cache_peers is not supported
explicitly.
used to relay Bearer tokens for SSO to multiple proxies.