WebAuth To-Do List Protocol: * WEBAUTH-222: Replace (or supplement; backwards compatibility will be necessary for a long time) the WebAuth protocol with a new protocol built on top of OpenID Connect (or OAuth 2.0) to make it easier to implement WebAuth servers and clients and to allow WebAuth to be more usable for program-to-program authentication. * WEBAUTH-92: Currently, there is no good logout strategy other than closing the browser, since the user remains logged in to each web site they've visited even if they go to the logout page on the weblogin server and destroy their global credentials. The best solution to this proposed so far is to maintain global state on the WebKDC servers (shared between them somehow) and to have the WebAuth servers query the WebKDC to see whether the credentials are still valid. This is a lot of work and raises some basic questions (such as, is HTTPS too slow for that query from the WebAuth server). * WEBAUTH-126: In the meantime, having the WebAuth logout handler automatically redirect to the WebLogin logout page might ameliorate some of the problems. * WEBAUTH-73: Allow a WebAuth Application Server to specify that authentication should be done using a particular instance (and perhaps only a particular realm?) so that the WebLogin server knows to manage a different set of single sign-on credentials for that user. This allows applications with specific credential requirements to not interfere with a user's other logins. * WEBAUTH-89: Rather than using our own Kerberos ticket serialization format, store tickets in the form that would be used when forwarding tickets, thus letting the Kerberos library do the encoding and decoding for us. MIT Kerberos has krb5_mk_ncred and krb5_rd_cred calls that could be used for this, but Heimdal doesn't appear to have anything equivalent. * WEBAUTH-127: Instead of using the same key for both the HMAC and the encryption key, use a channel key and derive both the HMAC and encryption keys from it. * WEBAUTH-110: Redo the WebKDC XML protocol to look more like a modern web services interface. A new WebAuth token representation using JSON should be defined, and the messages and replies from the WebKDC should themselves be defined as WebAuth tokens, including the encryption and integrity protection requirements. * WEBAUTH-46: User request: Currently, WebAuth always appends ?WEBAUTHR even if there's already an ? in the URL, which means that applications that want to do WebAuth themselves cannot do normal CGI parsing of the URL. Just changing this would break backward compatibility, so a new option needs to be added to the request token allowing the implementation to request proper CGI syntax be used in the URL. This option should probably be on by default with new versions of mod_webauth, since it's cleaner and doesn't cause any harm. * WEBAUTH-211: Switch to URL-safe base-64 encoding for tokens. This should be done in combination with some of the other changes for use of ? in URLs as a bundle of new-format token changes. * WEBAUTH-216: Stop including addresses in serialized Kerberos tickets and figure out what to do about the is_skey attribute. * WEBAUTH-41: Change encoded timestamps on the wire to be 64-bit times so that we don't have a year 2038 problem. * WEBAUTH-107: Support negotiation of the encryption cipher and HMAC for WebAuth tokens so that obsolete ciphers can be swapped out for newer ones. Use that support to switch to a better HMAC than SHA-1. * WEBAUTH-97: For better bootstrapping of authentications, provide the WebKDC interface to WebAuth application servers over remctl instead of HTTPS. This would avoid the bizarre dance with Kerberos authenticators and rely directly on GSS-API. General: * WEBAUTH-47: Currently, all module errors are logged with ap_log_error. It looks like we should be using ap_log_rerror when there's a request available and ap_log_cerror (but only with Apache 2.0.55 and later) when there's a connection available. This would probably include more useful details in the logs. * WEBAUTH-39: We're always passing a status of zero to all calls to ap_log_error, but in some cases we do have an error status that we should be passing in. * WEBAUTH-157: Support Apache 2.4 TRACE log levels and deprecate WebAuthDebug, WebAuthLdapDebug, and WebKdcDebug in favor of TRACE unless there are places where they really go to a lot of extra work. (And even then, is there a way for us to query if that log level is enabled?) * WEBAUTH-177: Generalize the option parsing code so that all three modules can use the same infrastructure. The best way to do this is probably to auto-generate most of the code from a separate description of the options. * WEBAUTH-99: Write an authentication provider for Shibboleth that implements the WebAuth protocol natively, and using that, express to WebAuth the final destination of the Shibboleth authentication, allowing the WebLogin server to make more interesting decisions. This also would eliminate the need to front the Shibboleth IdP with an Apache server and would be a natural extension of the work already done in the native Java implementation. * WEBAUTH-220: Missing configuration directives should not be a fatal error for any of the Apache modules, since Apache doesn't provide a good way of reporting and handling that error properly. Instead, we should accept the configuration but reject any use of the module. This will also allow us to enable the modules by default when installed as Debian packages. * WEBAUTH-123: Implement separate memory pools for keys and aggressively wipe them as soon as they are no longer in use. * WEBAUTH-105: Implement a standardized logging format across all of the WebAuth components. This will also mean switching WebLogin to using syslog for logging instead of relying on the FastCGI handler to do logging. libwebauth: * WEBAUTH-145: Support configuration of options for initial Kerberos tickets, such as ticket lifetime. We also probably want to suppress some options by default that we never use. * WEBAUTH-200: Format times properly when reporting errors about expired or stale tokens from token decoding. * WEBAUTH-153: Split the app and request tokens into two separate structs in the library API. We have to continue to use the same encoding on the wire, but we can at least not subject the library users to the problem. * WEBAUTH-151: Implement automatic encoding for enums and unions and use that to replace the custom encoding and decoding code for tokens. * WEBAUTH-87: Support enterprise principal names. * WEBAUTH-84: Support setting persistent factors from the userinfo call as well as the validate call. * WEBAUTH-101: Support passing parameters to the user information service with JSON instead of an ordered list. * WEBAUTH-189: Decode factors directly into struct webauth_factors when decoding tokens. * WEBAUTH-124: Support obtaining the password expiration time from the Kerberos KDC reply if the relevant functions are available and fill in that field even if we don't have a user information service or it doesn't provide us with that information. * WEBAUTH-194: Add a webauth_factors_add API and use it for the userinfo code. * WEBAUTH-199: Add the necessary Autoconf glue to allow us to use bool in public headers. * WEBAUTH-196: Use krb5_chpw_message to decode the password change error message from Active Directory servers. mod_webauth: * WEBAUTH-162: Rewrite the service token management in mod_webauth to be clearer about object lifetimes. This will probably require adding support for child contexts and copying the keyring back into the parent context so that we can destroy the child context and free any transient memory. * WEBAUTH-209: Provide a way to force reauthentication of a user who has valid credentials but ones that are about to expire, and apply it only to GET requests and not POST requests. This would be useful for wikis, for example, where expired credentials will usually destroy whatever work the user is trying to save. * WEBAUTH-169: If mod_webauth obtains a proxy token instead of an id token and WebAuthSubjectAuthType is set to krb5, mod_webauth needs to request an id token from the WebKDC and then verify it rather than simply trusting the identity in the proxy token. * WEBAUTH-50: Check the Cookie header for multiple webauth_at cookies and try each of them. This works around a bug in IE 7 where bar.com cookies are sent to foo.bar.com as well as the foo.bar.com cookies. * WEBAUTH-93: Support setting request headers in addition to or instead of environment variables, which will help when using proxy_http to, for example, a Tomcat server. * WEBAUTH-195: Stop requiring the trailing ; at the end of the token when that's the end of the URL. It is stripped in some obscure situations by IE when using header redirects, and in general ; is a separator rather than a terminator. If the token is truncated, we'll catch that anyway during decoding. * WEBAUTH-75: User request: Provide a way to require additional factors only when coming from a certain IP address or IP address range. This allows multifactor restrictions only for off-campus addresses, for example. This may be easier with the Apache 2.4 rework of the authorization infrastructure. * WEBAUTH-159: Validation of Kerberos authenticators in mod_webauth just blindly does a krb5_aname_to_localname and then compares against the subject. The decision of whether to strip the realm may be more complex than that. Figure out the right thing to do here, which is not obvious; perhaps require that REMOTE_USER be a full principal name if krb5 authenticators are used? * WEBAUTH-100: Convert the factor requirements to require directives so that they can be used with the new authorization math support in Apache 2.4. * WEBAUTH-165: Run the check_access hook directly in Apache 2.2 instead of via the get_user_id hook to make the code consistent. * WEBAUTH-150: Separate the function of checking for existing authentication from the function of redirecting the user to WebLogin. mod_webauthldap: * WEBAUTH-109: User request: There's no inherent reason why mod_webauthldap needs to be limited to working with mod_webauth. Allow additional auth types to be processed, or remove auth-type restrictions entirely and just rely on require privgroup. This will also require using REMOTE_USER instead of WEBAUTH_USER and, for use with mod_auth_kerb, dealing with a REMOTE_USER that's qualified with the realm. * WEBAUTH-83: User request: It would be nice to support multiple keytabs and different credentials in different virtual hosts so that the server would switch credentials and see different data depending on the context. This would require a significant reworking of the internals. * WEBAUTH-93: Support setting request headers in addition to or instead of environment variables, which will help when using proxy_http to, for example, a Tomcat server. * WEBAUTH-35: Support configuring multiple LDAP servers to query so that failover is supported. * WEBAUTH-43: Clean up the Apache 2.4 support and improve the way that the Apache version conditionals are handled. * WEBAUTH-183: Replace Kerberos code with use of libwebauth. mod_webkdc: * WEBAUTH-71: Ensure there is a proper return from a password login for an expired password so that it can be recognized and acted on by the WebLogin server. * WEBAUTH-217: A better error message when one talks to the WebKDC directly with a browser would be nice. The current message is rather baffling, and it would be good to tell the naive user to set up an application server or weblogin server. * WEBAUTH-49: Write a custom merging function for WebKdcLocalRealms so that the keywords are preserved properly. If a keyword is set, that should override any list of realms, but if both the old and new configuration contain list of realms, they should be combined. * WEBAUTH-141: Support an "any" option for WebKdcPermittedRealms so that the default can be explicitly set (possibly overriding an earlier explicit list). * WEBAUTH-136: Improve logging for better metrics analysis. More clearly indicate success versus failure, log clearly whether authentication was via username/password or via a single sign-on cookie, and find a way to differentiate between trusted Apache authentication and single sign-on. * WEBAUTH-88: Investigate implementing the GSSAPI-RPC protocol for the WebKDC. * WEBAUTH-215: Move token ACL handlng to libwebauth. * WEBAUTH-170: Rather than maintaining two parsers, include the possible tokens we would issue to the WAS in the return from the WebKDC so that the WebLogin server can choose whether to tell the user about them. This will let us remove the token.acl parser in WebLogin. * WEBAUTH-213: Fix the logic for required session factors to work properly when the initial authentication factor is not password. For example, a combination of X.509 and OTP authentication should satisfy a requirement for a session "m" factor, but currently mod_webkdc will return a forced authentication error, which WebLogin will turn into a password prompt. * WEBAUTH-48: In some cases, such as when the user entered a non-ASCII username, the error reply from the WebKDC is invalid XML because it contains non-ASCII characters that aren't encoded in UTF-8. Figure out something reasonable to do in this case so that the WebKDC always generates valid XML. * WEBAUTH-186: Logging of failed password or OTP logins is a bit too aggressive right now, producing four lines of output (one from libwebauth, two from mod_webkdc, and one from WebLogin). Two, one from mod_webkdc and one from WebLogin, would be sufficient. WebLogin: * WEBAUTH-44: When going to a site with multiple pieces of content protected by WebAuth, the browser seems to go to WebLogin multiple times, and for some of those times there's an error "no cookie, even after redirection" in the logs. Figure out what's going on and fix it. * WEBAUTH-179: Display a message if the password prompt is forced in order to get a TGT for credential delegation to the destination site. * WEBAUTH-117: Add a web services interface for the WebLogin login process and documentation for how to parse the redirect URL and make the login request, returning the return URL. * WEBAUTH-54: The error page should return the appropriate HTTP error code instead of success. * WEBAUTH-106: Incorporate the Stanford advanced settings page into the included WebLogin scripts, used to set the cookie saying to use Negotiate-Auth. * WEBAUTH-133: In support of localization and site customization, WebLogin should not be generating any error strings in the Perl code where possible. Instead, it should set parameters that are used on the login template to display appropriate text. Move the remaining error messages into the template. * WEBAUTH-173: Rework the WebLogin implementation strategy to either stop using CGI::Application parameters for per-query data or to collect them in a single parameter that can be more easily cleared. * WEBAUTH-76: Support displaying the last password change date for a user if they enter an incorrect password, as a reminder that they've recently changed their password. This would allow matching the behavior of Google authentication. * WEBAUTH-58: Fix parsing of the return data from the remctl calls to send multifactor messages. The current parsing doesn't take apart the XML document and retrieve the actual status result. * WEBAUTH-129: Support remembering the username in a cookie. * WEBAUTH-116: Remember the setting of the "use this computer regularly" checkbox via a cookie. Specifically, if the user says single sign-on cookies should *not* be retained on this system, remember that choice and change the default. * WEBAUTH-154: There should be a better way of distinguishing between fatal OTP validation errors and transient OTP validation errors so that WebLogin can choose whether to put up a dead-end error page or to return the multifactor login page again. Currently, it always does the latter. * WEBAUTH-137: Ignore whitespace around the username. * WEBAUTH-64: The WebLogin server currently leaks memory. Locate the source of that leak and stop it. * WEBAUTH-218: Simplify the various ways REMOTE_USER can be supported into a single or small number of straightforward configurations. * WEBAUTH-206: Support running WebLogin with taint checking enabled. * WEBAUTH-69: The most common problem with multifactor authentication is that people will start sessions to a web site in multiple browser windows simultaneously, and then attempt to authenticate in each window using the same multifactor code. Find some way for WebLogin to detect that an authentication has already happened in a different window and avoid error messages about reusing multifactor codes. Perl Modules: * WEBAUTH-51: To the extent that they will survive, all the WebKDC::* modules are misnamed and need to be renamed into the WebAuth::WebLogin::* namespace. WebLogin should be renamed WebAuth::WebLogin. * WEBAUTH-94: Add Perl WebKDC implementation. * WEBAUTH-85: Include in the distribution as much as possible of the Stanford user information service implementation as a basis upon which other sites can write their own. * WEBAUTH-191: Replace XML parsing with XML::TreeBuilder. * WEBAUTH-65: Do proper reference counting of the WebAuth context in all Perl objects so that the context will live until all objects derived from it have been garbage-collected. Scripts: * WEBAUTH-82: Provide a script or library to do synthentic transaction probes against a WebLogin server. (This by necessity will require screen scraping of the login HTML.) * WEBAUTH-95: Incorporate a script to obtain webkdc-proxy tokens from the WebKDC and display information about them. * WEBAUTH-112: Provide a script to take apart a token, given the keyring that encrypted it, and display information about the token and its contents. * WEBAUTH-125: Provide a script that generates the HTML pages for all WebLogin page flow paths. * WEBAUTH-130: Provide a script to analyze WebKDC logs and determine peak usage patterns. Build System: * WEBAUTH-138: Support --enable-rpath to force the RPATH of built libraries and binaries to include the paths of required libraries. Figure out how to pass this down correctly to the Perl module build. Test Suite: * WEBAUTH-201: A test suite (and a redesign of the code so that it can be tested) is desperately needed for all the code currently embedded in Apache modules. * WEBAUTH-214: Add better tests for the Kerberos libwebauth functions. * WEBAUTH-155: Rewrite tests for the Apache modules to avoid using lots of separate directories, merge the Perl code into a more manageable structure, and update the coding style. * WEBAUTH-172: Generate C token tests from the Perl configuration data. * WEBAUTH-176: Generate the WebKDC login tests from Perl configuration data. * WEBAUTH-171: Rewrite the userinfo tests to be data-driven. * WEBAUTH-168: Determine how to do test coverage analysis for the C test suite and add coverage analysis to testing. * WEBAUTH-156: Script the analysis of valgrind output from check-valgrind. * WEBAUTH-205: Add tests for the info logging in the token merge functions. * WEBAUTH-202: Test more attribute encoding edge cases. Documentation: * WEBAUTH-175: Rewrite the protocol specification to provide a better-structured and more complete introduction to the protocol and defining terms earlier and more consistently. * WEBAUTH-142: Document that numeric values of 0 are equivalent to the attribute not being set for all tokens on the wire. This is the assumption made by the Perl API, and it seems like it should be generally valid for all tokens. * WEBAUTH-166: Describe the multifactor design and implementation in the protocol specification, particularly including the criteria used when deciding whether to merge factors together as initial factors. * WEBAUTH-114: Write design notes / internals documentation for how WebAuth is put together. * WEBAUTH-223: Update the docs/test-plan document and check it against the current implementation and the set of things that can be tested (such as SPNEGO and advanced configuration). * WEBAUTH-132: Document the multifactor page flow in docs/weblogin-flow. * WEBAUTH-81: API documentation for libwebauth. * WEBAUTH-108: Write a full WebAuth manual (probably in Publican). * WEBAUTH-144: The protocol says that the subject should not be included in id tokens with a subject authenticator type of krb5, but we've always sent a subject and just ignored it in mod_webauth. Modify the protocol to indicate that the subject can be included in this case and the WAS may choose to trust it rather than validating the authenticator (since the choice of requested credentials was the WAS's anyway.) * WEBAUTH-96: Write XML schemas for all of the XML documents that the WebAuth components exchange, including the interactions with the user information service. * WEBAUTH-152: Document and name the WebLogin UI components. * WEBAUTH-188: Collect all token lifetime information together in one place in the WebAuth documentation. * WEBAUTH-113: Add a Security Considerations section to the WebAuth protocol specification. Mention cipher agility, hash agility, reuse of the AES encryption key as the HMAC key, use of SHA-1 as a cipher, reliance on cookie security, lack of a logout mechanism, implications of authenticating and then encrypting for tokens, and use of random nonces that are not protected against reuse. * WEBAUTH-146: Document the trust relationships between the WebAuth components. * WEBAUTH-149: Document when Perl APIs were introduced. * WEBAUTH-147: Document when Apache configuration directives were introduced. Style: * WEBAUTH-187: The mod_webauthldap module needs a lot of formatting and coding style cleanup. * WEBAUTH-234: All of WebAuth needs a general dead code removal pass and evaluation of all the places marked FIXME, spawning either entries for this list or removal as unimportant. * WEBAUTH-140: Update coding style for the WebAuth Perl modules. * WEBAUTH-181: Add function annotations to the API (particularly alloc).