Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Suppose AllinOnePhoto (D) is a site that let users to store all their photos, built on D8. It has user 0, 1, 2, 3, 4, ..., where 0 is anonymous user and 1 is admin (a user with enough access); other users are authenticated users. P is a third party site that offering printing service.
Hawk Auth and Oz Auth together should offer authentication solutions to the user stories below:
- D or User 1 developed a mobile app for authenticated users to sync photos to D. There are Android version and iOS version. Each version uses one key that D issues.
- User 2, 3, 4, .... have mobile phones; they use the app that D has developed, but they only know their usernames and passwords.
- P offers printing service, but it ask their user to grant the access that they have on D. Once P has the permission, P can only access one particular user's photos.
Comments
Comment #1
skyredwangComment #2
Dragooon CreditAttribution: Dragooon commentedFor (2) Basic Auth + Hawk can be used, Hawk can be used to authenticate the App and Basic Auth to authenticate the users. Did some rudimentary testing:
1) Passed Hawk's authorisation header for User 1, let's say this is the app's owner. Drupal authenticated the header as user 1.
2) Passed Basic Auth's authorisation header for User 2 to the same server, Drupal authenticated it as user 2. Both basic auth and hawk use HTTP Authorization header with Hawk's starting with Hawk and Basic auth starting with Basic, both cannot be present at the same time so we do not have to cater to that scenario.
In the above 2 requests, Hawk and Basic Auth modules were present simultaneously and no change was made to the server's settings or configuration during testing, Drupal was able to switch between the different authentication mechanism without issues.
Comment #3
skyredwangWe need more test cases, and we need more documentation, so these tests can be reproduced
1. If Hawk fails, can Basic still work? In user story 2, Hawk is used for device authentication, Basic is used for user authentication. If the device fails
2. If Hawk works, but Basic fails, can Hawk still acquire the user owned content?
Comment #4
Dragooon CreditAttribution: Dragooon commented1. Hawk and Basic Auth both rely on sending HTTP Authorisation header, except Hawk's has to start with the string "Hawk" and Basic Auth with "Basic", so we can't send a single request with both the authentication protocol's headers. However they can repeat the request with different header and that should work, they're independent of each other.
2. Hawk simplify identifies the app as a Drupal user, if that user has permission over user's content they can read it. That would be more of a challenge for the app developer.
Comment #5
Dragooon CreditAttribution: Dragooon commentedOkay so here are the tests I did (I reran them for making this post, I discovered a bug in the previous tests I did)
Route's definition:
It is simply meant to show a JSON string and output the current logged in username.
Request 1 (Basic Auth for User A):
Correctly identifies user A.
Request 2 (Hawk for User B):
Correctly identifies user B.
Request 3 (BA for User A and HA for User B):
The first (basic) belongs with a user "A" and second (hawk) to user "B", both credentials are correct on their own. However, when receiving Apache merges them into one:
Which makes both of them invalid. If I have hawk first, this is the header Drupal receives:
Which also fails since Hawk doesn't recognise any parameter named Basic.
From what I can tell, the headers are merged on apache/.htaccess level. So this behaviour might be controllable, however I couldn't figure out how to tell apache to merge them differently or only pass the first or second header. We can modify this behaviour to allow multiple headers however that would go against HTTP spec.
Comment #6
skyredwangGSoC 2015 is finished. This issue served as some thinking process and documentation. I am closing this now. In the future, we shall open new issues to tackle specific problems.
Comment #7
skyredwangComment #8
skyredwang