Cache authentication sessions

[g0dsCookie]

Currently there is no cache mechanism for authentication. This leads to many ldap authentication requests.

Session Cookie?

[g0dsCookie]

Doesn't seem to be possible, since Traefik doesn't forward Response-Headers if the Response-Code is between 200 and 300.

Seems like this has to be rewritten as reverse-proxy.

[travisghansen]

Cool project, thanks for the work! While I'm not doing this for the ldap support in my project I have a similar need to support oauth2/openid. You can do the following:

1. In the verify endpoint check for the cookie and validate
2. If not present (and no credentials provided) return the 401 with WWW-Authenticate
3. Browser/user enter credentials
4. Repeat first step 1
5. If credentials are provided authenticate
6. If authentication succeeds, set the response cookie header and data
7. Respond with a 302 back to the original request URI (ie: send them back to the same endpoint)

The trouble with this is it can change the verb of the request. ie: if a 'session' was initiated with a POST then it can be problematic. cookies + basic don't mesh the best but if your use-case is such that the above works then it's possible. Generally workflows with cookies imply an actual user sitting in front of a screen vs machine-to-machine authentication.

Hope that helps!

I support ldap auth with dynamic configuration (ie: supports multiple ldap configurations behind a single deployment) in a new project I started: https://github.com/travisghansen/external-auth-server

You may be interested in checking it out.

[travisghansen]

If you just want to reduce the # of requests to the ldap server you can do so with some layer of cache. I do this for ldap support in my project. The basic idea is I hash the authentication header/base64 creds and if auth succeeds create a cache entry with that value as the key. When subsequent requests come through I'm assured the same username/password are being sent and can check for the existence of the cache entry.

It keeps secrets out of the cache while still ensuring proper credentials have been sent.

[g0dsCookie]

Thanks for your suggestion @travisghansen. Will check this out.

But should it not also be possible to respond with 307? Since 307 should guarantee that neither method nor body should be changed, if I remember correctly.

Some layer of cache will also be implemented. Also thought about hashing username/password and even storing the cache in memcached/redis (maybe optional), so they keep care about TTL.

[travisghansen]

Yeah 307 would be cool if it works. Try and let me know.

That's exactly what I do for TTL and cache. I'm using a library so it's easy to switch active backends but in prod I use redis.

[g0dsCookie]

@travisghansen seems to be working just fine with 307. Thanks again for your great suggestion. :-)

Test scenario was a simple index.html with post form to /print.php which prints used request method and received form value. Before submitting the form I deleted the session cookie in my browser to force reauthentication and 307 from my application.

Result

index.html

<!DOCTYPE html>
<html>
    <head>
        <title>POST Test</title>
    </head>
    <body>
        <form method="POST" action="/print.php">
            <input type="email" name="email" required>
            <button type="submit">TEST</button>
        </form>
    </body>
</html>

print.php

<!DOCTYPE html>
<html>
    <head>
        <title>Method Test</title>
    </head>
    <body>
    <pre>
    <?php
    echo "Request Method: " . $_SERVER['REQUEST_METHOD'] . "\n";
    echo "Email: " . $_POST['email'] . "\n";
    ?>
    </pre>
    </body>
</html>

[travisghansen]

Yeah wow that's very cool and good to know.