diff --git a/auth_token/client/README b/auth_token/client/README new file mode 100644 index 00000000..66ed0620 --- /dev/null +++ b/auth_token/client/README @@ -0,0 +1,67 @@ +/*********************************************************************** + * + * README for libcasa_c_authtoken + * + ***********************************************************************/ + +INTRODUCTION + +libcasa_c_authtoken is the client auth_token engine. It is responsible for +interacting with ATSs, invoking the authentication mechanism plug-ins, and +managing the authentication token cache. libcasa_c_authtoken also provides +the Get Authentication Token API. + +CONFIGURING ADDITIONAL AUTHENTICATION MECHANISM MODULES + +libcasa_c_authtoken utilizes mechanism plug-ins for authenticating to ATSs. +The client auth_token package installs mechanisms for the support of Kerberos5 +and Username/Password authentication. To configure additional authentication mechanism +plug-ins, place their configuration file in the folder for CASA Authentication Token module +configuration. The path to this folder under linux is /etc/opt/novell/CASA/authtoken.d/modules.d. +The path to this folder under Windows is \Program Files\novell\CASA\auth\mechanisms. The name of +the plug-in configuration file is related to the authentication mechanism type in the following +manner: AuthenticationMechanismTypeName.conf. + +Authentication Mechanism plug-in configuration files must must contain a directive indicating the +path to the library implementing the Authentication Mechanism (See the configuration file +for the Kr5Authenticate plug-in for an example). + +CLIENT APPLICATION PROGRAMMING NOTES + +The Get CASA Authentication Token API is defined in casa_c_authtoken.h. + +The API consists of a call to obtain authentication tokens. The caller must supply the name of the +service to which it wants to authenticate along with the name of the host where it resides. The +returned authentication token is a Base64 encoded string. + +Applications utilizing CASA Authentication Tokens as passwords in protocols that require the +transfer of user name and password credentials should verify or remove any password length limits +as the length of CASA Authentication Tokens may be over 1K bytes. The size of the CASA Authentication +Tokens is directly dependent on the amount of identity information configured as required by the +consuming service. These applications should also set the user name to "CasaPrincipal". + +For examples of code which uses the Get CASA Authentication Token API look at the test application +under the test folder. + +AUTHENTICATION MECHANISM PROGRAMMING NOTES + +The Authentication Mechanism API is defined in mech_if.h. + +For example implementations see the code for the krb5 and the pwd mechanisms. + +SECURITY CONSIDERATIONS + +CASA Authentication Tokens when compromised can be used to either impersonate +a user or to obtain identity information about the user. Because of this it is +important that the tokens be secured by applications making use of them. It is +recommended that the tokens be transmitted using SSL. + + + + + + + + + + diff --git a/auth_token/client/TODO b/auth_token/client/TODO new file mode 100644 index 00000000..a96f51d3 --- /dev/null +++ b/auth_token/client/TODO @@ -0,0 +1,18 @@ +/*********************************************************************** + * + * TODO for libcasa_c_authtoken + * + ***********************************************************************/ + +INTRODUCTION + +This file contains a list of the items still outstanding for libcasa_c_authtoken. + +OUTSTANDING ITEMS + +- Implementation of Linux specific code. +- Re-structure the token cache to differentiate between Session Tokens and Authentication Tokens. +- Use the CASA cache as the token store. +- Switch Client/Server protocol to use SOAP Messages. +- Enable communications over HTTPS instead of over HTTP. +