= Proposed Self Contained Change: Web Application Authentication =
https://fedoraproject.org/wiki/Changes/Web_App_Authentication
Change owner(s): Jan Pazdziora <jpazdziora(a)redhat.com>, Jakub Hrozek
On operating system level, there are numerous authentication and identity
lookup mechanisms, some of them using sssd. With new Apache modules and new
sssd, some of those mechanisms become more easily consumable by web
applications. Various web application environments and frameworks can then
consume results of the authentication and information retrieval using
environment variables similar to REMOTE_USER.
== Detailed Description ==
With mod_authnz_pam, PAM authentication and access checks are available to web
applications, allowing wider combination of authentication and access
controls. One specific target is host-based access control rules of FreeIPA
for Kerberos SSO via pam_sss and sssd.
The mod_intercept_form_submit module makes it possible to enable the PAM
authentication of mod_authnz_pam on normal logon form handling paths, which
can then be consumed by web application with fairly minimal changes.
The mod_lookup_identity uses sssd-dbus to retrieve additional attributes like
name, email address, or group membership, and populates environment variables
for easy consumption of this information by web applications.
The sssd-dbus implements new service ifp which provides access to additional
user-related pieces of information.
== Scope ==
* Proposal owners: Three new packages (Apache modules) and rebase of sssd.
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)