mod_auth_mellon icon indicating copy to clipboard operation
mod_auth_mellon copied to clipboard

Published 20 hours ago verified publisher icon latchset

Support for mod_authn_socache

Open fraff opened this issue 5 years ago • 5 comments

Could you please add support for mod_authn_socache ?

If I understand it right, it would speed up things, but more, it would allow storing cookies in memcache backends. It would be possible to use auth mellon on multiple load balancer or backends.

Thanks.

fraff avatar Feb 27 '20 13:02 fraff

mod_authn_socache is not suited for this as it caches password hashes for basic or digest authentications. mod_auth_mellon uses a session to retrieve information once authenticated. In order to get what you want the correct approach for me seems to be:

  1. Make mod_auth_mellon use mod_session. Currently I have no idea how to implement am_validate_unique_assertion_id and am_handle_logout_request with mod_session as by its nature it does not allow to iterate over all sessions.
  2. Add a mod_session_socache module to offer a like for like shared memory session handling that current mod_auth_mellon offers.

Another option given the issues with 1. would be to make mod_auth_mellon use the socache API directly instead of its own shared memory cache. The drawback is that this does not allow us to store the session data on the client via an encrypted cookie (mod_session_cookie / mod_session_crypto). But this possibility on the other hand is one of the reasons why we cannot iterate over all sessions :-)

Both of the above proposals also lead us to the general discussion how long mod_auth_mellon should continue to support httpd 2.2 which is EOL since about 3 years.

I am open for discussion and happy to continue also in other venues like the mailing list if they are more appropriate.

rpluem avatar Apr 22 '20 11:04 rpluem

Update: I just noticed that some of the most interesting socache providers do not support iterating over all sessions (mod_socache_memcache / mod_socache_redis). Hence the approach needs to find a solution that avoids iterating across the whole session store to implement am_validate_unique_assertion_id and am_handle_logout_request.

rpluem avatar Apr 27 '20 12:04 rpluem

@jdennis did some work on mod_socache before. You can find it here: https://github.com/jdennis/mod_auth_mellon/tree/socache

Sadly, it was a rather substantial rewrite of the module, and nobody found the time to properly review and test the changes, so the development stalled with jdennis not having time to push it solo.

Maybe this is an initiative the community can pick back up again?

jmaanmies avatar May 27 '20 10:05 jmaanmies

Thanks the pointer. At least due to #13 at rework of the patch is needed.

rpluem avatar May 27 '20 12:05 rpluem

In order to get the stuff from @jdennis here for people to work on it can someone with push permissions please do the following:

git branch socache 1fa6146abe8ee1b8f224646866a855d969bbb0b6
git checkout socache
git remote add jdennis https://github.com/jdennis/mod_auth_mellon.git
git pull jdennis socache
git push -u origin soache
git remote remove jdennis

This would allow people to work on rebasing the socache branch here and making it ready for a PR.

rpluem avatar Aug 24 '20 07:08 rpluem