Page 1 of 1

Distributed authentication

Posted: Thu Mar 10, 2011 10:57 am
by pickle
Hi all,

This is a theory question, not a specific code question.

I'm creating a central authentication scheme for my environment - as I have a number of applications running on various different servers (4 servers, 7 subdomains).

So, a basic situation between a Remote server and the Central server, when creating a session would go like this:
  1. Remote server asks user for user credentials
  2. Remote server takes credentials & compares them against our LDAP server
  3. If successful, Remote server sends a request (over https) to Central server to create a session for the user
  4. Central server loads user data and creates a session in our database - recording session expiry time & which applications the user is allowed to access.
  5. Central server sends generated session key, session expiry time, and loaded user data back to Remote server
  6. Remote server creates a cookie with the generated session key and the correct expiry time
The only problem I can see is the Central server trusting the Remote server at its word, that a session can be created for user XYZ. To solve that, I'm maintaining an IP list on the Central server, and only requests from IPs on that list, will be processed. All the servers run on our internal network, so I don't need to make this robust enough to work over the Internet.

Are there any other problems with this setup?

Thanks.

Re: Distributed authentication

Posted: Fri Mar 11, 2011 4:08 am
by VladSun
Not very clear to me. Are you trying to create a "passport" auth. scheme?

Hm, a "distributed authentication" or "a central authentication scheme" - which one?

I think what you've written is not the full story - I thought that after a single successful authentication, the user will be automatically logged into every of the other "Remote servers", though I don't see these steps. Could you elaborate please?

"Central server" sounds like a "single point of failure" :)

The "IP trust" is easy to be changed into a "certificates trust" (https).

PS: Something like this - viewtopic.php?f=19&t=94949&p=518372#p518372 ?

Re: Distributed authentication

Posted: Fri Mar 11, 2011 10:11 am
by pickle
- I'm not readily able to find what a "Passport" auth. scheme is - so I don't know.

- I guess it would be distributed authentication, central authorization.

- You're right - I didn't elaborate on how authorization is checked after subsequent page loads.
On each page load:
  1. Remote server loads the auth cookie (Since all of my servers and subdomains are on the same domain, one server can set the auth cookie for all servers). The Auth library I wrote will also know which application and which access level is required.
  2. Remote server sends a request to the Central server asking if the session ID is valid for the required app and access level.
  3. Central server checks against its database to see if the session id is valid, and whether or not the user has the required access level for the required app.
  4. If the session exists and the user is allowed, Central server updates the expiry time of the session, and essentially sends TRUE and some user information back to the Remote server
- The Central server is definitely a single point of failure. Most of our apps run on that same server though - so if the server goes down it doesn't really matter that people can't get authorized as the app they want to access is likely unavailable as well.