Using OpenID for local web application authentication

December 22, 2009

We have a problem, and that problem is authentication. In a not uncommon pattern, we have a central set of core services, run by a core group; email, fileservers, the login servers, and so on. Then we have a bunch of other people who want to build various web applications, ranging from departmental things all the way down to graduate students putting together projects.

Many of these web applications need accounts and authentication. The natural and best logins and passwords to use are people's existing departmental accounts, because who wants to force people to remember another password? However, for obvious reasons we're in no position to give our Unix password file out to people in general; we use shadow files for a reason, after all. Ideally we would like to not even give them out for departmental web applications.

At a conceptual level, what we need is some sort of authentication service. It's easy to build something that takes a plaintext password and login and gives you a yes or no answer (in fact, given IMAP people can build one themselves), but this has two drawbacks. First, we'd like the service not to be a mass password guessing service too, and second, we'd ideally like web applications to never even deal with those departmental passwords, so that we don't have to worry about people's applications mis-handling them.

For a while I have been thinking that OpenID could be the solution to this problem. It should be simple to create an OpenID provider that authenticates users against our Unix password file, and expose it as, say, 'openid.cs/~<user>/'. Authors of local web apps would then have a simple way of authenticating people; essentially they would get access to our departmental logins for free, in a way that means we don't have to worry about their application and system security, or try to get approval for sharing selected encrypted shadow passwords with them.

(And who knows, a departmental OpenID identity might turn out to be more generally useful; people might want to use it when dealing with outside websites that use OpenID, if there are very many.)

I suspect that it's simpler to integrate (restricted) OpenID into modern web applications than to try to hook them into a Unix or Unix-ish password authentication system. And even if it's just as complicated, the upstream developers are more likely to accept patches to add OpenID support than to add support for authenticating against a Unix password file; it's simply more general, these days.

Comments on this page:

From 76.10.173.95 at 2009-12-22 17:29:11:

1) Is ldap not the standard solution for this sort of thing?

2) What exactly about open id stops people from using it to guess passwords?

-Jeremy

By cks at 2009-12-23 01:27:46:

LDAP is a lot more generality and complexity than I'm interested in exploring right now. I also suspect that integrating LDAP authentication into a typical web application is more difficult (and less likely to get accepted upstream) than OpenID support.

Nothing stops people from using an OpenID provider for password guessing, but it is both more difficult and more amenable to various sorts of countermeasures than a number of other potential systems. It's also intrinsically sort of slow and CPU intensive (which raises the odds that we will notice without any sort of specific monitoring).

As a practical matter, I'm happy if password guessing is no faster with OpenID than with mass ssh scanning. I suspect that it won't be.

From 195.26.247.141 at 2009-12-23 08:52:53:

Looks like there have been a few people have similar ideas online, and about adding OpenID support to PAM -- which would make it applicable to a lot of apps including Apache, Unix logins, etc.

Nothing that I can find really says whether an OpenID module for PAM is really possible or not, but it definitely sounds like an excellent solution if it is possible...

From 195.26.247.141 at 2009-12-23 10:11:37:

Additional : http://packages.debian.org/unstable/main/gracie shows that there is a python package in Debian/Ubuntu which hooks together PAM and OpenID, which might be worth a try?

From 203.17.251.71 at 2010-01-14 06:16:53:

I've tried gracie, and it's pretty bodgy. Going PAM->SASL->LDAP then using OpenID-LDAP would be slightly less bodgy, but not much less work that just switching to LDAP completely.

I think you'd be surprised how receptive webapps are to LDAP auth - it's a common way of authenticating against Active Directory.

How about OpenID auth for DWiki btw?

James

By cks at 2010-01-14 08:45:48:

I've wanted to add some degree of OpenID to DWiki for some time now, but it keeps being too much of a project for my interest level and available time.

Written on 22 December 2009.
« Some things about getting useful output from time
Do you have a network layout diagram? »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Tue Dec 22 01:20:38 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.