[Zope-PAS] Struggling with 'challenge' support.

[Lennart Regebro]

Mark Hammond wrote:
>>That is the most common use case: Redirecting to a login
>>page. That is
>>what 99% of users that require something else than a 401
>>response will use.
> 
> But that use case is already handled well by Zope itself.

No, it's not handled by Zope at all..?!

> Surely PAS is so
> people can plug other authentication services.

Not only. PAS is also there to hande the challenge mechanism, and the 
reasonably, it should handle the challenge mechanism. And one of the use 
cases that needs to be supported is redirecting.

> I expect that when there are
> a number of PAS challenge implementations in place, it will be the minority
> of them that will want to redirect.

Possibly, but the fact still is that it needs to be supported.

> Best I can tell though, at the moment there are *no* working challenge
> implementations at all - which is making this discussion very hard to have -
> we have no working baseline at all.  Do you have any working challenge
> implementations at all? 

Yes, on my hard disk. But since this is the third major effort from my 
part of making one, and the previous two has had cases where it did not 
work, i think it is ueful to make sure we understand the use cases 
before I check in yet another non-working challenge implementation.

>>Use case 4:
>>What Mark is doing now. Could you explain that closer?
> 
> NTLM challenge/response with Internet Explorer.
> * client requests page
> * server returns 401, with "www-authenticate: NTLM" set.
> * client retries, passing a token in "authenticate" header
> * server re-responds 401, passing its tokens back to the client.
> * client retries, passing yet another token
> * server says "OK".

OK, excellent.

> In the same way that browsers can implement multiple responses, it is
> important we are able to issue multiple challenges.
> Consider IIS with a secure page - it will issue *both* HTTP and NTLM
> challenges.  If the client is IE it will silently authenticate with NTLM.
> If the client is anything else, it will see the standard HTTP auth challenge
> and handle that response.

Would it be possible to have both an NTLM challenge, and a redirect to a 
login-page? I guess the browser would then just redirect even if it 
could authenticate with NTML, so that would fail, right?

But it might be possible to have an www-authenticate: NTML together with 
a login-page body?

> Clearly that would not work if IIS had to choose between one of the
> challenge methods.

True, but that does not mean that you have to have several different 
plugins. In that case the NTLM challenger could set both NTML and Basic 
headers. But in the NTML+login page case, it would be nice to let the 
NTML challenger  just as it's headers and then go on to the next challenger.