This service allows you to integrate user account creation/authentication with other web based software that exposes a way to perform simple http authentication. It very simply allows you to delegate validation of user credentials to a http url of your choice.

For example if you have Apache/IIS setup with user accounts in an .htpasswd or equivalent file or have any number of apache authentication modules setup (mod_pam, mod_ldap, mod-auth, etc) you can use this. You simply need a url that given credentials, can somehow verify if they're valid (status 200) or invalid (any other status).

This service is described here:
http://wiki.opengarden.org/Deki_Wiki_API/Reference/HttpPassthroughAuthentication

You may set this up just like you would the Ldap auth service as described here:
http://wiki.opengarden.org/Deki_Wiki/User_Manual/Adding_LDAP_Support

The only setting you need is "authentication-uri".

This will be released with Hayes+ but anyone running from head in SVN can get these bits now.

Enjoy :)

Max

Great feature!

I just tried it and am a bit puzzled now.

My Deki (Hayes/SVN) is protected using .htaccess/.htpasswd. I was able to add the service http-authentication by adopting the LDAP description you pointed to.

So I have the following now:

Type: Authentication
Description: HTTP Authentication
SID: http://services.mindtouch.com/deki/draft/2007/07/http-authentication
Config: authentication-uri -> http://my.domain.net

(Where http://my.domain.net has been replaced in this example - in fact it's the domain name deki has been configured to.)

First: Can authentication-uri also be just "http://127.0.0.1" or the internal LAN IP?

Second: Did I understand the authentication-uri correctly? Or would I have to set up a dummy page somehow? (which would be quite difficult due to the numerous mod-rewrites & proxy-use deki needs)

Third: How would I proceed? I entered "User management", chose "HTTP Authentication" as service and tried a) to add a user and b) to "Refresh from provider".
a) resulted in a "404 - User:"customer". resource not found" after putting in the credentials into the deki-styled pop-up (or call it pop-over)
b) resulted in a "User:"customer". resource not found" ("customer" is the user I defined in .htpasswd)

I guess I understood something terribly wrong here. Maybe you could you give a detailed real-life step-by-step example with defined example users? This would help me and I guess also other users who are interested in this feature. Keep up the good work!

Merktnichts,

this service is not a substitute for how you've setup .htpasswd/.htaccess in order to make your wiki super private. The intent is for this to be used on the login page as an authentication service (just like LDAP auth service) to allow credentials to be validated against some other source.

That source is the 'authentication-uri'. This can point to any hostname and path accessible by the DekiHost service (even some internet page if you'd like. (Maybe even a different DekiWiki instance :) ). All this does is delegate the validation of user entered credentials to that uri. This allows users to be created automatically (if they're valid on that uri) if they don't already exist on your wiki.

Here are some requirements of the page at the authentication-uri:

* It needs to always return a status 401 (unauthorized) for anonymous users.
* It needs to also return status 401 for invalid credentials.
* It needs to return status 200 for valid credentials

A good test for all these is to simply point your browser at this uri. It must come back with a authentication dialog box that only allows valid credentials.

To your specific questions:



First: Can authentication-uri also be just "http://127.0.0.1" or the internal LAN IP?


It can be http://127.0.0.1 if you have a web server listening on that ip and the default page thats setup to perform authentication.



Second: Did I understand the authentication-uri correctly? Or would I have to set up a dummy page somehow? (which would be quite difficult due to the numerous mod-rewrites & proxy-use deki needs)


The uri doesn't have to be on the same server as DekiWiki, but if it is you'll need to make a hole in your rewrite rule for it. You could always setup a different apache/iis virtual host for this.




Third: How would I proceed? I entered "User management", chose "HTTP Authentication" as service and tried a) to add a user and b) to "Refresh from provider".
a) resulted in a "404 - User:"customer". resource not found" after putting in the credentials into the deki-styled pop-up (or call it pop-over)
b) resulted in a "User:"customer". resource not found" ("customer" is the user I defined in .htpasswd)


Unfortunately adding users via user management cannot be supported for this authentication provider (it should have actually given you an error explaining this). The reason is that you'd need to know the username/password of every user you're entering in order to verify that the user exists. This authentication service will allow accounts to be created on the login page only.

Hopefully this clears up some confusion. I'll put a lot of this into the documentation for this service soon.

Max

Hey Max,

thanks a lot for those lines. I was now able to use the new service you implemented by setting up another virtual server (with an empty dummy page) to validate the users. Very interesting - and working!

After your explanation I now realized that I misunderstood the new authentication service indeed. Although I didn't think about it being a substitute for .htaccess/.htpasswd, I had the impression that Deki could use the HTTP authentication now which I established for Deki to hide it completely from unauthorized access.
Some days ago I was talking to Steve about this topic (when discussing the now solved general AJAX bug about HTTP auth). Now I think I misunderstood him as well, as I guess he was talking about the thing you implemented now.

Which brings me to the next step: How are chances that in future Deki might be able to use the (as you called it) super private protection I set up, so users would only have to put in their credentials into the HTTP auth window and Deki automatically logs them in?

Euh, no. What I was talking about is something different still. :)

Single-signon/auto-login/etc. is what I was talking about and this will take us a little while.

Euh, no. What I was talking about is something different still. :)

Single-signon/auto-login/etc. is what I was talking about and this will take us a little while.
Hehe, okay, so I got YOU right and I got MAX wrong in the beginning. ;)
Looking forward to the single-signon feature, no matter when it will come. It's some comfort, but not vital for now, there's more important stuff to do at the moment, I guess.

Sorry for going off topic (unintendedly tho), I'm out of this thread now. Thanks to both of you for clearing it up! At least I've learned now how the various authentication services in Deki are working.