[Melbourne-pm] Authentication ?

Daniel Pittman daniel at rimspace.net
Mon Mar 30 17:18:14 PDT 2009

Scott Penrose <scottp at dd.com.au> writes:

> If you wanted to do authentication on apache with the following basic
> features:
> * (optional) Ability to register your own account with email token validation
> * (optional) ability to use 3rd party accounts (ala OpenID)

You are aware of the weaknesses in the current OpenID protocols, which
render it a great mechanism for password theft, right?

I certainly wouldn't trust it, until they resolve those, for anything
requiring more security than you can get without a login.


> * Password recovery via email token
> * Apache Module for login & access control
> It seems that most open source code does authentication & registration
> internally.

It certainly does.  When people move away from that the usually move to
a central SSO solution that allows them to integrate well beyond the
realm of the web.

> So I am collecting what people would use that is independent of
> framework or product - but can depend on Apache?

I would probably pick up the Stanford SSO solution:

Alternately, their features page compares them to a number of similar
large scale authentication solutions.

Debian package it, in unstable and possibly before, and it delivers the
features you are talking about, more or less...

If all that was too much, though, and given your constraints above,
I would probably just deploy a random OpenID provider that did what
I asked, then use only that for authentication.


More information about the Melbourne-pm mailing list