Squid Authentication with HTTP REST API

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid Authentication with HTTP REST API

Serhat Koroglu

Hello,

Is there any possibilty implementing an authentication through a custom XML Web Service or HTTP REST API? What should I check? 




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Authentication with HTTP REST API

Amos Jeffries
Administrator
On 14/03/2017 8:15 p.m., Serhat Koroglu wrote:
> Hello,
>
> Is there any possibilty implementing an authentication through a custom XML Web Service or HTTP REST API? What should I check?
>

Squid supports the HTTP authentication framework (RFC 7235
<https://tools.ietf.org/html/rfc7235>). Squid is intentionally designed
not to touch the message payloads.

If the API uses custom headers then you can possibly do it with an
external_acl_type helper that takes those headers and returns
credentials to Squid.

But, if the API uses message payloads you will likely need something
like an ICAP service or eCAP module to do the payload processing.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Authentication with HTTP REST API

Eliezer Croitoru
Hey Serhat,(first name right?)

From what I understand you have a specific case.
Today the squid project doesn't have an example on how to implement such a solution.
I am willing to write an example for such a use case.
If you are willing to give me some of the details privately I would be able to put up together an ICAP server as an example.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Wednesday, March 15, 2017 4:04 AM
To: [hidden email]
Subject: Re: [squid-users] Squid Authentication with HTTP REST API

On 14/03/2017 8:15 p.m., Serhat Koroglu wrote:
> Hello,
>
> Is there any possibilty implementing an authentication through a custom XML Web Service or HTTP REST API? What should I check?
>

Squid supports the HTTP authentication framework (RFC 7235
<https://tools.ietf.org/html/rfc7235>). Squid is intentionally designed
not to touch the message payloads.

If the API uses custom headers then you can possibly do it with an
external_acl_type helper that takes those headers and returns
credentials to Squid.

But, if the API uses message payloads you will likely need something
like an ICAP service or eCAP module to do the payload processing.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Authentication with HTTP REST API

Serhat Koroglu

Sorry for late reply.

I have find a suitable solution for validation through a http web service. Here tells developing custom helper even using php: http://freesoftwaremagazine.com/articles/authentication_with_squid/ That's nice. 


Then I know there is  authentication with oauth2 for squid-server. But you may be know, in oauth2 authentication, you must authorize the app using user's credentials e.g. facebook username and password. When this oauth2 method is used, your app must redirect to the oauth2 service to authorize your app. 


You may had used many web sites like that with facebook login. So my question is how may squid server do this redirect  and authorization process using a third party oauth2 service? Squid asks username and password with web browser popup. Is there any example to this? 


Regards,

Serhat.


From: Eliezer Croitoru <[hidden email]>
Sent: Wednesday, March 15, 2017 12:01:15 PM
To: 'Serhat Koroglu'
Cc: [hidden email]
Subject: RE: [squid-users] Squid Authentication with HTTP REST API
 
Hey Serhat,(first name right?)

From what I understand you have a specific case.
Today the squid project doesn't have an example on how to implement such a solution.
I am willing to write an example for such a use case.
If you are willing to give me some of the details privately I would be able to put up together an ICAP server as an example.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [[hidden email]] On Behalf Of Amos Jeffries
Sent: Wednesday, March 15, 2017 4:04 AM
To: [hidden email]
Subject: Re: [squid-users] Squid Authentication with HTTP REST API

On 14/03/2017 8:15 p.m., Serhat Koroglu wrote:
> Hello,
>
> Is there any possibilty implementing an authentication through a custom XML Web Service or HTTP REST API? What should I check?
>

Squid supports the HTTP authentication framework (RFC 7235
<https://tools.ietf.org/html/rfc7235>). Squid is intentionally designed
not to touch the message payloads.

If the API uses custom headers then you can possibly do it with an
external_acl_type helper that takes those headers and returns
credentials to Squid.

But, if the API uses message payloads you will likely need something
like an ICAP service or eCAP module to do the payload processing.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Authentication with HTTP REST API

Eliezer Croitoru
Hey Serhat,

The right way to support OAUTH2 or any similar idea would be using an ICAP
service or ECAP module(to my knowledge).
There might be a way to do it using an external_acl helper but I do not know
how and if it would be possible.

To my understanding OAUTH2 will use some redirection when a cookie is not
present and if present and valid then it will let you pass.
Also it will has a special token "portal" api which the OAUTH2 will redirect
towards in or order to get the cookie from the origin service.
In the backend when the request from the client to the api with the key will
be done the client token will be revalidated in the background
against the facebook or google or another OAUTH2 provider using the
developer API key.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: Serhat Koroglu [mailto:[hidden email]]
Sent: Monday, March 20, 2017 8:49 AM
To: Eliezer Croitoru <[hidden email]>;
[hidden email]
Subject: Re: [squid-users] Squid Authentication with HTTP REST API

Sorry for late reply.
I have find a suitable solution for validation through a http web service.
Here tells developing custom helper even using
php: http://freesoftwaremagazine.com/articles/authentication_with_squid/ Tha
t's nice. 

Then I know there is  authentication with oauth2 for squid-server. But you
may be know, in oauth2 authentication, you must authorize the app using
user's credentials e.g. facebook username and password. When this oauth2
method is used, your app must redirect to the oauth2 service to authorize
your app. 

You may had used many web sites like that with facebook login. So my
question is how may squid server do this redirect  and authorization process
using a third party oauth2 service? Squid asks username and password with
web browser popup. Is there any example to this? 

Regards,
Serhat.
________________________________________
From: Eliezer Croitoru <mailto:[hidden email]>
Sent: Wednesday, March 15, 2017 12:01:15 PM
To: 'Serhat Koroglu'
Cc: mailto:[hidden email]
Subject: RE: [squid-users] Squid Authentication with HTTP REST API
 
Hey Serhat,(first name right?)

From what I understand you have a specific case.
Today the squid project doesn't have an example on how to implement such a
solution.
I am willing to write an example for such a use case.
If you are willing to give me some of the details privately I would be able
to put up together an ICAP server as an example.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:[hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On
Behalf Of Amos Jeffries
Sent: Wednesday, March 15, 2017 4:04 AM
To: mailto:[hidden email]
Subject: Re: [squid-users] Squid Authentication with HTTP REST API

On 14/03/2017 8:15 p.m., Serhat Koroglu wrote:
> Hello,
>
> Is there any possibilty implementing an authentication through a custom
XML Web Service or HTTP REST API? What should I check?
>

Squid supports the HTTP authentication framework (RFC 7235
<https://tools.ietf.org/html/rfc7235>). Squid is intentionally designed
not to touch the message payloads.

If the API uses custom headers then you can possibly do it with an
external_acl_type helper that takes those headers and returns
credentials to Squid.

But, if the API uses message payloads you will likely need something
like an ICAP service or eCAP module to do the payload processing.


Amos

_______________________________________________
squid-users mailing list
mailto:[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Authentication with HTTP REST API

Amos Jeffries
Administrator
On 20/03/2017 9:27 p.m., Eliezer  Croitoru wrote:
> Hey Serhat,
>
> The right way to support OAUTH2 or any similar idea would be using an ICAP
> service or ECAP module(to my knowledge).

Sigh. Another perfect example of how giving us incorrect information
results in bad answers.

OAuth2 is an actual standard authentication scheme with defined HTTP
features, not "a custom XML Web Service or HTTP REST API" which Serhat
was asking for earlier.

The proper way to implement OAuth2 is with the Bearer authentication
scheme. I did that implementation years ago right after Oauth2 Bearer
was standardized, but it did not get merged because nobody was using it
with proxies at the time and the final polish was going to be hard.

The patch (for an early 3.5) can be found at
<http://www.squid-cache.org/mail-archive/squid-dev/201407/0147.html> and
<http://wiki.squid-cache.org/Features/BearerAuthentication> the
documentation for using it in a patched squid. If you want to sponsor
the work Serhat I would be happy to update it to current releases.

HTH
Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Authentication with HTTP REST API

Amos Jeffries
Administrator
In reply to this post by Serhat Koroglu
On 20/03/2017 7:49 p.m., Serhat Koroglu wrote:

> Sorry for late reply.
>
> I have find a suitable solution for validation through a http web
> service. Here tells developing custom helper even using php:
> http://freesoftwaremagazine.com/articles/authentication_with_squid/
> That's nice.
>
>
> Then I know there is  authentication with oauth2 for squid-server.
> But you may be know, in oauth2 authentication, you must authorize the
> app using user's credentials e.g. facebook username and password.
> When this oauth2 method is used, your app must redirect to the oauth2
> service to authorize your app.
>
>
> You may had used many web sites like that with facebook login. So my
> question is how may squid server do this redirect  and authorization
> process using a third party oauth2 service? Squid asks username and
> password with web browser popup. Is there any example to this?

No this is abolutely *not* how Squid asks for authentication.

Squid "asks" telling the client that authentication credentials are
needed and listing the schemes that it will accept credentials for.
*Some* clients (eg Browsers) decide all on their own to use a popup to
annoy the user if they cannot supply any of those credential types
automatically. How they try to get them (or not) is way outside and
irrelevant to Squid.

For OAuth2 Squid just needs to support the Bearer authentication scheme,
and a helper to verify the credentials token which the client/browser
sends back.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users