0

I need to implement an architecture someone else designed.

They have a drupal as user interacting component, and an external authentication module.

To authenticate, from drupal, username and password should be passed to the external authentication module.

Now, the password "lives" inside that external module! And is encrypted. We are required to use HTTP Basic Authentication (over HTTPS) to authenticate there.

How can I authenticate access of the drupal users to backends authenticating in the external module? Do I need to keep a local copy of the password after login? Is the architecture maybe inherently flawed?

Thanks for any suggestion.

transient_loop
  • 427
  • 4
  • 13
  • 1
    This design is insecure (CWE-257). We have already solved this problem and we call it OAuth. – rook Sep 13 '14 at 22:46
  • @rook Except for the part "Do I need to keep a local copy of the password after login" how is it related to CWE-257? Using a webservice to answer if yes/no a {user, password} combination is good is a totally valid approach if done correctly. As you said, OpenID Connect (OAuth2) is the other valid approach. – Gudradain Jun 26 '15 at 14:11

0 Answers0