[TYPO3-project-4-3] Making RSA Auth default login method?

[Dmitry Dulepov]

Hi!

Francois Suter wrote:
> I must say I didn't dig into Dmitry's patch and I have no idea how this
> new authentication service works. I saw a mention of private key/public
> key, so does it mean that keys must be at some point generated and
> exchanged? If this is the case how can TYPO3 work with RSA auth out of
> the box?
> 
> Could you detail how this works?

Sure! :)

When user opens /typo3/index.php, special code executes that creates a public and private keys. These are one time keys, they will be regenerated on each login page reload. The public key is stored in the hidden form field. The private key is stored on the server side (partially in the database and partially in the PHP session).

When user clicks a login button, a special JavaScript is executed that encodes the password using a public key. Decoding is possible only using the corresponding private key, which happens on the server via a special service.

Keys are valid for a single request or 30 minutes (whatever comes first).

Earlier superchallenged auth was hard–coded in the login form. Now it is moved to the "sv" extension, which logically should have it. In addition, the patch makes it possible to create any other auth method (for example, using certificates for the authentication).

-- 
Dmitry Dulepov
In TYPO3 blog: http://dmitry-dulepov.com/reviews/magento-beginners-guide-by-william-rice.html
LinkedIn: http://www.linkedin.com/in/dmitrydulepov
Twitter: http://twitter.com/dmitryd
Skype: liels_bugs