On Fri, Jan 31, 2020 at 7:53 AM Justin Taylor <JUSTIN@xxxxxxxxxxxxx> wrote:
So you're running Apache anonymously and off-loading authentication to the
app stack, correct?
That's my understanding. Remove the appropriate Apache configuration
directives in order to avoid a duplication of work. Add features to the app
stack to issue credentials, provide for recovery of credentials and
password reset (via email or SMS or both), session expiration, individual
authorization to whatever functionality and content that you might provide,
support for group assignments and group authorities (because individual
authorities can be tedious to manage), etc.
I've heard "OAuth", but I don't know anything about it. I'll add that to
me list to research.
As an aside, our web portal supports OAuth. User IDs and passwords are
stored on an OAuth "realm", which is often run by a 3rd party, which issues
a token similar to what Brad mentioned previously. Your apps can retrieve
that token and query the OAuth realm (via web service) about its
authenticity.
I should say that none of this improves the efficiency of "authentication"
or "authorization". Unless you have a way of maintaining a persistent
connection with the browser, you'll have to authenticate and authorize
every request every time for any resources that you want to remain secure.
midrange.com
