To make things much like the normal flow, you could also proxy the validation request (encrypted with the shared key or key pair) from the service back to the provider, then proxy the provider answer back to the service (encrypted). The proxy being here the client (browser) and encryption is done by the provider and by the consumer. This way CAS flow does not change at logical level.
2014-07-29 15:30 GMT+02:00 Massimo Di Pierro <massimo.dipie...@gmail.com>: > What you call satellites are normally called service consumers of the auth > service provider. Let's ignore for a fact that your consumers are in a DMZ. > web2py is a perfect framework for this because it has support for CAS, > OAuth 1&2, and OpenID. In fact the CAS provider and consumer is built-in > any web2py application. You can simply install many copies of the welcome > app and have all but one point the one you choose as provider. CAS is > better than Oauth for this because it lets you filter consumers. Oauth is > supposed to allow any consumer. > > Now the problem is that your consumers are behind a DMZ. This is a major > hurdle. As far as I know all protocols CAS, OpenID, OAuth 1&2 require that > the consumer establish a direct outgoing connection to provider. None of > these standard systems would work out of the box for you. > > There is one way around. You must implement your own protocol. The reason > they normally establish a connection is to verify the credentials provided > by the provider. You could make a simple modification to CAS (and I can > help) so that consumer and providers share a secret and key and use it to > digitally sign the "ticket" provided by the provider by the consumer. This > would work. > > Massimo > > > > > On Tuesday, 29 July 2014 06:26:12 UTC-5, Stodge wrote: >> >> I have several Django websites and I want to create a centralized auth >> provider - I'm looking at various web frameworks including web2py, for a >> simple solution for prototyping. >> >> The auth provider site (web2py) would contain the user accounts and be >> the only repository for user details and passwords. Users would log into >> the auth provider site and when they visit each satellite website for the >> first time, an account is created on that site. Subsequent visits to the >> satellite site would result in them being sent to the auth provider site to >> login first. On returning they are automatically logged in to the satellite >> site. My only difficulty is that the auth provider site would be on the >> internet and the satellite sites are in DMZs on private networks with >> access to the internet. So the satellite sites cannot establish any >> outgoing connections to the auth provider. >> >> Would web2py be a good framework to use for the auth provider site? Would >> the oauth2 application be the right solution? Any better alternatives? >> >> Thanks >> > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
