= Proposed Self Contained Change: Web Application Authentication = https://fedoraproject.org/wiki/Changes/Web_App_Authentication
Change owner(s): Jan Pazdziora jpazdziora@redhat.com, Jakub Hrozek
On operating system level, there are numerous authentication and identity lookup mechanisms, some of them using sssd. With new Apache modules and new sssd, some of those mechanisms become more easily consumable by web applications. Various web application environments and frameworks can then consume results of the authentication and information retrieval using environment variables similar to REMOTE_USER.
== Detailed Description == With mod_authnz_pam, PAM authentication and access checks are available to web applications, allowing wider combination of authentication and access controls. One specific target is host-based access control rules of FreeIPA for Kerberos SSO via pam_sss and sssd.
The mod_intercept_form_submit module makes it possible to enable the PAM authentication of mod_authnz_pam on normal logon form handling paths, which can then be consumed by web application with fairly minimal changes.
The mod_lookup_identity uses sssd-dbus to retrieve additional attributes like name, email address, or group membership, and populates environment variables for easy consumption of this information by web applications.
The sssd-dbus implements new service ifp which provides access to additional user-related pieces of information.
== Scope == * Proposal owners: Three new packages (Apache modules) and rebase of sssd. * Other developers: N/A (not a System Wide Change) * Release engineering: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change)
devel-announce@lists.fedoraproject.org