Skip to content
This repository has been archived by the owner on Jun 7, 2022. It is now read-only.

babolivier/das

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits

ident

ident

 
 

moodle_macaroons @ 786b6dc

moodle_macaroons @ 786b6dc

 
 

service1

service1

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

README.md

README.md

 
 

Repository files navigation

DAS

Decentral Authentication Service

What is this?

DAS is a proof of concept of a digital workspace as used in school. Most of them use Apereo's CAS (sometimes known as Jasig), which handles authentification in a centralised way.

There's one downside to this: it requires a JEE server to run, not always easy to configure, sometimes ressources-hungry, and slows each authentication to a service by requiring additional requests between both the service and the CAS server, and the CAS server and the client.

That's where Macaroons come in the game. Macaroons are an easy way to implement decentralised authentication, and we'll use them to get rid of the CAS server, and allow an user to authenticate to a service without having to talk that often with the authentication service.

Digital workspace

In most school (and organisations, in general), students have access to a digital workspace, which really is a set of services directed to them (lectures' PDFs, mails client, courses planning, etc). In most cases, all these services are designed and built by different companies, in different ways, and with different authentication processes. To authenticate them, schools usually use a Central Authentication Service (or CAS) which will interact with a directory server (usually LDAP) and will verify the identity of an user. This is all explained in the CAS protocol.

Repository content

At the time this file was written, the repository contains the following directories:

  • ident is a small identification server written in Node.js. In our very simple case, it will only ask for an username, but we can think of improving it to interact with a LDAP server. Once the user identified itself, it server will place a Macaroon in the user's browser, with a status caveat, depending on the route used:
    • If the user identified on /, they will have the "student" status.
    • If the user identified on /teacher, they will have the "teacher" status.
  • service1 is a PHP service which authenticate an user based on their Macaroons, and only allow a teacher to access it.
  • moodle_macaroons is an authentication plugin for Moodle, a service actually used in schools' infrastructures, using Macaroons generated by ident (at least it's limited to this when I'm writing these lines).

Please keep in mind that, although this might not a very impressive use of Macaroons, it is still a work in progress.

Try it out

For now (not sure it'll last), you can try the whole thing at https://ent.brendanabolivier.com/, by adding the desired service in the URI (/ident for the identification server, /service1 for the PHP service). Connections aren't logged on this server.

Why don't you try heading out on https://ent.brendanabolivier.com/ident/, logging in, then accessing https://ent.brendanabolivier.com/service1/? 😉

Then you can try and identify on https://ent.brendanabolivier.com/ident/teacher and re-trying accessing service1 😄

About

PoC of school digital workspace without a CAS, using Macaroons

Resources

Readme
Activity

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages