sttp / Specification

STTP Specification and Related Documentation
MIT License
9 stars 3 forks source link

Authentication Support #4

Open StevenChisholm opened 7 years ago

StevenChisholm commented 7 years ago

The following authentication methods are supported. Note, authentication (a.k.a "Trust") must be established for both the client/server. So the client/server may desire different levels of authentication. Again comments are desired.

None: No Authentication will occur. Connection is automatically mutually trusted based on something else like and IP address.

Trusted Private Key: The private key is trusted, not the contents of the certificate. This can be used to trust self-signed certificates since the identifying information of a self-signed certificate is meaningless.

Trusted Root Certificate + CNAME: If the certification is signed by a trusted root and has a valid CNAME, this establishes a trusted connection.

NTLM: Uses NTLM to trust the credentials.

Kerberos: Uses Kerberos to trust the connection.

LDAP: Uses LDAP for authentication.

APIKey: Uses a user generated API Key that is the same for both client/server. Some kind of Challenge/Response method will be employed here. It will also incorporate the public keys of all x.509 certificates to ensure that there is not a man-in-the-middle attack. Currently, I'm thinking using SCRAM, since it's relatively simple. SRP would be superior, but it's rather difficult to implement and isn't native to .NET.

EEParker commented 7 years ago

You might consider adding OAuth2 to the APIKey section. This could add flexibility if you already have a trusted OAuth provider, or if you implement a in-product OAuth service such as IdentityServer4.