Gluu Blog

Follow us:
Back to Blog

UMA and OpenID Connect Plugins for Apache

Michael Schwartz July 17, 2013

It would be so awesome if we (meaning the citizens of the Internet) had plugins for popular web servers to make it easier to use OAuth2 to authenticate a person, and to authorize them to access certain URLs.

The web server plugin is a tried and true approach to protecting web resources (both files and APIs…) without requiring a Web programmer to know much about complex authentication and authorization protocols. Shibboleth, the most widely adopted open source SAML platform, uses this approach for its Shibboleth SP software.

According to the Netcraft survey in April 2013, Apache HTTPD had 54% of the web server market, approximately 341M servers. Take out Google’s 23M servers, and the number is even higher. Its a good place to start.

To date, open source web server plugins have delivered on authentication, not authorization. Large companies can afford to buy expensive software for authorization from companies like CA, Oracle and IBM. These monolithic enterprise software vendors write web server plugins that used proprietary protocols to register and communicate with a central policy server. However, because of their price, most web developers just do without central authorization.

Thanks to the hard work of the UMA community, a profile of OAuth2 has been defined to accomplish authorization. OX has implemented this standard, enabling organizations to define their access policies using Java, Python, or web services. Gluu has agreed to implement an open source java client (“OXD”) that can be deployed locally on the web server to handle the OAuth2 messaging. The only piece that is missing is the plugin to the web server.

This project will actually deliver two OAuth2 plugins for Apache HTTPD server: (1) a plugin for OpenID Connect to  handle the OAuth2 authentication (2) a plugin for for UMA, to handle the OAuth2 authorization.  The design for the UMA plugin is documented on the OX Project wiki:

Gluu has identified a resource to work on the project. In his cover letter, he wrote :
“I have been working on writing apache modules for a reverse proxy product to provide single sign functionality. I’ve worked on projects to develop 10 custom modules to address the business needs of our product. I even have working knowledge on open source apache modules such as mod_proxy, mod_proxy_http, mod_cache, mod_disk_cache etc and having thorough understanding on apr library , pools..”

This is a new funding model for us. We’re hoping that companies and integrators who want to see more options for open source authentication and authorization will support the effort. The intent is to donate the code produced by this effort to a non-profit, such as the Kantara Foundation, who could help develop a self-sustaining business model to fund future upgrade and fixes for the Apache plugin, and to create plugins for other web servers like IIS, nginx, or even popular CMS / CRM platforms such as WordPress and SugarCRM. In this way, this project could kickstart a new development ecosystem which will ultimately make the Internet a safer place for everyone.

Interested in helping us make this happen? Contribute to our Crowdtilt!! 

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.

Reader Interactions