Consider Ensuring No Authenticated User Only Responds With 401

[carrvo]

Background

I am using mod_authnz_external for an authz that checks for anonymous access (no authenticated user). The auth flow that I would like to achieve is

1. agent sends request
2. authz checks for anonymous access
   • if granted then deliver document
3. when denied anonymous respond with 401 so that the agent knows to authenticate
4. agent sends request with user credentials
5. authn checks for valid-user
6. authz checks for access
   • if granted then deliver document
7. when denied respond with 403

Problem

Using GroupExternalAuthnCheck Off allows for the Authz to check for anonymous access, but then it forces all further denial responses to be 403. Ideally, not having an authenticated user should only be able to respond with 401 regardless of whether Authn is checked for or not.

[carrvo]

Proposed Solution

On

mod-auth-external/mod_authnz_external/mod_authnz_external.c

Line 676 in 1d9ac9b

return AUTHZ_DENIED;

change

- 	return AUTHZ_DENIED;
+ 	// Revisit whether there was an authenticated user so that we can flag Apache appropriately
+ 	if (user == "") return AUTHZ_DENIED_NO_USER;
+
+ 	return AUTHZ_DENIED;

[carrvo]

The above proposed solution has been tested in conjunction with svn-auth v1.2.2 and Mindie-Client+mod_oauth2.

Example working config (sensitive information removed):

<Location /multi/website>
    DAV svn
    DavBasePath /multi/website
    SVNPath /.../website

    ErrorDocument 401 /oauth/index
    LogLevel trace1

    <If "%{HTTP:Authorization} =~ /^Basic/" >
        AuthType Basic
        AuthName "WebDAV"
        AuthUserFile /.../.htpasswd
    </If>
    <ElseIf "%{HTTP:Authorization} =~ /^Bearer/" >
        AuthType oauth2
        AuthName "WebDAV"
        OAuth2AcceptTokenIn header
        OAuth2AcceptTokenIn cookie name=oauth_token
    </ElseIf>
    <Else>
        # anonymous
        AuthType none
    </Else>

    AuthExternalContext '{"SVNParentPath":"/...","SVNLocationPath":"/multi"}'

    AuthzSendForbiddenOnFailure on
    GroupExternal svn-auth
    GroupExternalAuthNCheck Off

    <Limit GET HEAD OPTIONS REPORT>
	    Require external-group svn-authz authz:read ParentIfNotExist
    </Limit>
    <Limit POST>
	    Require valid-user
	    Require external-group svn-authz authz:write ParentIfNotExist
    </Limit>
</Location>