Mercurial > prosody-modules
comparison mod_auth_token/README.md @ 2956:d0ca211e1b0e
New HMAC token authentication module for Prosody.
| author | JC Brand <jc@opkode.com> |
|---|---|
| date | Tue, 27 Mar 2018 10:48:04 +0200 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 2938:f000ba14d531 | 2956:d0ca211e1b0e |
|---|---|
| 1 # mod_auth_token | |
| 2 | |
| 3 This module enables Prosody to authenticate time-based one-time-pin (TOTP) HMAC tokens. | |
| 4 | |
| 5 This is an alternative to "external authentication" which avoids the need to | |
| 6 make a blocking HTTP call to the external authentication service (usually a web application backend). | |
| 7 | |
| 8 Instead, the application generates the HMAC token, which is then sent to | |
| 9 Prosody via the XMPP client and Prosody verifies the authenticity of this | |
| 10 token. | |
| 11 | |
| 12 If the token is verified, then the user is authenticated. | |
| 13 | |
| 14 ## How to generate the token | |
| 15 | |
| 16 You'll need a shared OTP_SEED value for generating time-based one-time-pin | |
| 17 values and a shared private key for signing the HMAC token. | |
| 18 | |
| 19 You can generate the OTP_SEED value with Python, like so: | |
| 20 | |
| 21 >>> import pyotp | |
| 22 >>> pyotp.random_base32() | |
| 23 u'XVGR73KMZH2M4XMY' | |
| 24 | |
| 25 and the shared secret key as follows: | |
| 26 | |
| 27 >>> import pyotp | |
| 28 >>> pyotp.random_base32(length=32) | |
| 29 u'JYXEX4IQOEYFYQ2S3MC5P4ZT4SDHYEA7' | |
| 30 | |
| 31 These values then need to go into your Prosody.cfg file: | |
| 32 | |
| 33 token_secret = "JYXEX4IQOEYFYQ2S3MC5P4ZT4SDHYEA7" | |
| 34 otp_seed = "XVGR73KMZH2M4XMY" | |
| 35 | |
| 36 The application that generates the tokens also needs access to these values. | |
| 37 | |
| 38 For an example on how to generate a token, take a look at the `generate_token` | |
| 39 function in the `test_token_auth.lua` file inside this directory. | |
| 40 | |
| 41 ## Custom SASL auth | |
| 42 | |
| 43 This module depends on a custom SASL auth mechanism called X-TOKEN and which | |
| 44 is provided by the file `mod_sasl_token.lua`. | |
| 45 | |
| 46 Prosody doesn't automatically pick up this file, so you'll need to update your | |
| 47 configuration file's `plugin_paths` to link to this subdirectory (for example | |
| 48 to `/usr/lib/prosody-modules/mod_auth_token/`). |