-
Notifications
You must be signed in to change notification settings - Fork 7
Manpage
mod_auth_ticket - lighttpd auth module to protect whole-server using external SSO (OpenID, OAuth, ...)
=== in lighttpd.conf ===
server.modules += ("mod_auth_ticket")
$HTTP["url"] =~ "^/path/to/protect" {
auth-ticket.override = 2 // see description
auth-ticket.timeout = 86400 // auth token expiration period
auth-ticket.key = "sharedsecret.passwd" // secret to be shared with "authurl" page
auth-ticket.name = "AuthByPasswd" // cookie to be shared with "authurl" page
auth-ticket.options = "path=/; httponly;" // any cookie attributes
auth-ticket.authurl = "/path/to/logon-relay-page"
}
For description, please read README attached.
Cookie name to use. This cookie is first created by "authurl" page, and then redirected back to MAT to notify SSO auth result.
Secret key to encrypt/decrypt/sign/verify cookie data between "authurl" page and MAT. Any string of any length will do.
For actual encryption/signing scheme used, you can select it in "authurl" page (there're several cookie formats you can choose to generate).
Controls how browser-supplied authinfo will be handled. There are 3 cases:
Case #1: auth-ticket.overide = 0
- If supplied by browser, uses "Authorization:" header instead of MAT cookie.
- Use case: If you dual-protect your site with (locally provided) BasicAuth and (externally provided) SSO, you can give BasicAuth a higher priority by specifying this mode.
Case #2: auth-ticket.override = 1
- Also a dual-protected mode, but gives MAT cookie a higher priority.
Case #3: auth-ticket.override = 2
- This is a MAT-only mode. Incoming "Authorization:" header is ignored, and will not fall back to BasicAuth even if MAT-auth has failed. This is a recommended default.
Redirection URL in case of authentication failure.
This page needs to work as a bridge between MAT and your selection of SSO scheme, so you would need to place your custom page to this URL. As an example of such page, see files under demo/ folder.
If this page is not specified, no redirection will occur. This is same as allowing anonymous access, which is useful in some use-cases (like semi-public Wiki).
Sets lifetime of issued ticket.
Note that cookie issued by "authurl" page is only used once, and is replaced by MAT-issued ticket (= randomly generated token) immediately. This parameter specifies lifetime of MAT-issued ticket.
Any other options you want to include in a cookie.
Sets loglevel. Currently supported levels are: 0 (FATAL), 1(ERROR), 2(WARN), 3(INFO), 4(DEBUG). If you set this to DEBUG, some sensitive information (username, issued token) will be logged (but password will not be logged - it is impossible to log one anyway).
Copyright 2010-2011. All rights reserved.
This product is free software; you can redistribute it and/or modify it under the same terms as lighttpd itself.