WebAuth musings

So far, so good with time management. I think I've gotten more done in the past four days than I normally get done in two weeks. It's kind of scary, really. There is a bit of a bulldozer effect happening, where my to-do list gets longer and longer because I'm pushing things back to the next day, but I'm starting to think that was just an initial effect. There were so many things on my plate that needed dealing with, and when I jumpstarted the to-do list, I wrote them all down at once.

Tomorrow, the list will start smaller than it started today (although not by that much). Most notably, though, it's short a few major, long-duration items. We'll see if it straightens up over time.

The last task of this afternoon was writing up a more thorough specification for the WebAuth weblogin script. That got me thinking about the future of WebAuth, particularly since Cosign is looking nicer and nicer. I keep thinking maybe we should switch, but on the other hand we have such a strong investment in WebAuth. So, I instead started thinking about how I could implement Cosign's site-wide logout feature.

WebAuth supports arbitrary authentication types and arbitrary tokens. This means that I could add a Cosign-style authenticator that's just a session ID for a ticket cache stored on the weblogin server and hand out corresponding id and proxy tokens. When the application server gets an id token of this sort, it could know it has to ping the central server for each request to verify the user is still logged in. It can also use such IDs as proxy tokens when appropriate.

The hard part, of course, is the state maintenance. That's where the Cosign folks have put a lot of work into this. The daemons on the weblogin servers need to communicate state information to each other and deal with crashes, network partitions, and similar problems robustly.

If I implemented this sort of scheme, I think it almost has to be a big switch on the WebKDC to either use one style or the other. Although... you can use a Cosign-style single sign-on authenticator and still use WebAuth-style application authenticators if you want to, since the WebKDC has access to the ticket cache and can cobble up whatever it needs. That's rather interesting. Although to support site-wide logout, you may want to force use of central ticket caches as site-wide policy.

Anyway, I think this is actually doable, and except for all the state maintenance and replication on the WebKDC, not actually that much work. It's a long-term thing, but if we can also get funding to do real Windows WebAuth, that eliminates much of the reason to switch to Cosign.

Writing the Windows WebAuth proposal is a task for either tomorrow or early next week, I think.

Posted: 2006-03-09 20:33 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04