WebAuth is a program to securely authenticate users for Web applications using UCInetIDs and passwords. The information below will help you get started.
The goal of the Web Authentication Tool is to provide a single, secure place at UCI to for users to enter their UCInetID and password when they need to access web space where their UCInetID needs to be validated. The Web Authentication Tool uses a token to identify the time that a particular UCInetID was authenticated at a specific IP address. It is up to the server requiring the authentication to not only check for a valid token, but that the IP address is the same and that the token is recent enough to still be acceptable.
The first step of using the Web Authentication Tool is to determine the access control mechanism. The two ways of controlling access are through a CGI program or by modifying the server. In either case, the next (and final) step is to write or re-use a program that interacts with the Web Authentication Tool.
The general flow of how it works:
A browser that has authenticated is carrying either a cookie or a GET variable named ‘ucinetid_auth’. The value of this variable is the token for the Web Authentication Tool. This token is sent to the authentication database as a GET variable and the response is a listing of the traits for that token. If the returned traits are acceptable, the information is presented. If a browser does not send a valid token (or no token at all), it is directed to the web page where the user enters their UCInetID and password.
WebAuth Flow Chart
There are three URLs/programs used to interact with the UCInetID Web Authentication Database:
- webauth— is the page that prompts the user for a UCInetID and password and if these are correct, enters the data in the database and sets the cookie/variable in the browser.
- webauth_check— is used to get the data associated with a specific Web Authentication Tool token. the data is either returned as key/value pairs with key=value on a single line or the same data can be returned as an XML document
- webauth_logout— is used to clear an entry in the UCInetID Web Authentication Database. when sent to this program, the program picks up the Web Authentication Tool token from the cookie in the browser or the URL as a get variable
webauth
Thee following arguments can be used as get variables with webauth:
webauth?return_url=URL
return_url should be set to the URL that the browser will be sent to after a successful password.
webauth_check
The following arguments can be used as get variables with webauth_check:
webauth_check?ucinetid_auth=64CHARSTRING&return_xml=true
ucinetid_auth is a 64 character string stored in the database as the key to other information about the login. this variable is required.
return_xml (if set to ‘true’) will have the output returned as XML
the data that is returned is:
| ucinetid | the UCInetID authenticated with this key |
|---|---|
| auth_host | the IP number of the host that the key was authenticated from |
| age_in_seconds | how many seconds ago the UCInetID was authenticated |
| time_created | the seconds since epoch that this key was authenticated |
| seconds_since_checked | seconds since the last time webauth_check was run on this key |
| last_checked | the seconds since epoch to when webauth_check was last run on this key |
| campus_id | A unique number for every person on campus that will never be duplicated or repeated. This should be used as a key in a database. |
webauth_logout
The following arguments can be used as get variables with webauth_logout:
webauth_logout?ucinetid_auth=64CHARSTRING&return_url=URL
ucinetid_auth is a 64 character string stored in the database as the key to other information about the login. If this variable is not provided, the cookie value is used. (That is the best way to redirect a user.)
return_url should be set to the URL that the browser will be sent to after the entry is deleted