                            WebAuth To-Do List

Protocol:

 * Currently, there is no good logout strategy other than closing the
   browser, since the user remains logged in to each web site they've
   visited even if they go to the logout page on the weblogin server and
   destroy their global credentials.  The best solution to this proposed
   so far is to maintain global state on the WebKDC servers (shared
   between them somehow) and to have the WebAuth servers query the WebKDC
   to see whether the credentials are still valid.  This is a lot of work
   and raises some basic questions (such as, is HTTPS too slow for that
   query from the WebAuth server).

   In the meantime, having the WebAuth logout handler automatically
   redirect to the weblogin logout page might ameliorate some of the
   problems.

 * User request: Add a method for the WebKDC to communicate to the WAS the
   login method used, so that the WAS can expose this information in an
   environment variable to CGI applications, etc.

 * User request: Increase the timeout of the token sent by the WAS to the
   WebLogin server for initial user login.  It doesn't contain security
   information and therefore doesn't need to expire in five minutes.

 * Allow a WebAuth Application Server to specify that authentication
   should be done using a particular instance (and perhaps only a
   particular realm?) so that the WebLogin server knows to manage a
   different set of single sign-on credentials for that user.  This allows
   applications with specific credential requirements to not interfere
   with a user's other logins.

 * Rather than using our own Kerberos ticket serialization format, store
   tickets in the form that would be used when forwarding tickets, thus
   letting the Kerberos library do the encoding and decoding for us.

 * Use a better key for the HMAC than the encryption key of the token.

 * Redo the WebKDC XML protocol to look more like a modern web services
   interface.

General:

 * Currently, all module errors are logged with ap_log_error.  It looks
   like we should be using ap_log_rerror when there's a request available
   and ap_log_cerror (but only with Apache 2.0.55 and later) when there's
   a connection available.  This would probably include more useful
   details in the logs.

 * We're always passing a status of zero to all calls to ap_log_error, but
   in some cases we do have an error status that we should be passing in.

libwebauth:

 * The current library interface is very low-level.  Ideally, the library
   should treat particular WebAuth tokens as first-class objects with
   their own manipulation functions and not expose all of the low-level
   marshal and unmarshal functions to clients.

 * The library needs a way of doing error logging that isn't just
   returning error codes.  We probably need some sort of global WebAuth
   context that can stash error messages, similar to how the Kerberos
   library API works.

 * Switch all the WebAuth library interfaces to using opaque structs
   instead of typedefs, matching our current coding style.

 * Investigate whether we can provide higher-level interfaces to the
   WebAuth library so that we don't have to provide as many different
   functions.

 * Remove the local argument from webauth_krb5_rd_req_with_data.  It's not
   actually useful.

 * webauth_attr_list_add_time assumes that timestamps are unsigned 32-bit
   values.

 * String to number conversion in the WebAuth library is being done with
   atol instead of with strtol and with error checking.

 * Add locking to the code reading and writing keyrings so that two
   processes don't simultaneously update a keyring.

 * Stop including addresses in serialized Kerberos tickets and figure out
   what to do about the is_skey attribute.

 * Once logging is available, log better error messages when reading
   keytabs and obtaining initial credentials fails.

 * Replace the internal verify_tgt function with krb5_verify_init_creds.

 * The code to get a Kerberos error message always just uses com_err right
   now.  This needs modification to call the appropriate Kerberos error
   message function.

 * Support configuration of options for initial Kerberos tickets, such as
   ticket lifetime.  We also probably want to suppress some options by
   default that we never use.

 * Do proper error handling in the case where random number initialization
   fails.

mod_webauth:

 * User request: It would be nice to have a per-directory option to
   recognize a login if the WebAuth cookie is available, but not force it
   if the user isn't logged in.

 * User request: Currently, WebAuth always appends ?WEBAUTHR even if
   there's already an ? in the URL, which means that applications that
   want to do WebAuth themselves cannot do normal CGI parsing of the URL.
   Just changing this would break backward compatibility, so a new option
   needs to be added to the request token allowing the implementation to
   request proper CGI syntax be used in the URL.  This option should
   probably be on by default with new versions of mod_webauth, since it's
   cleaner and doesn't cause any harm.

 * If mod_webauth obtains a proxy token instead of an id token and
   WebAuthSubjectAuthType is set to krb5, mod_webauth needs to request an
   id token from the WebKDC and then verify it rather than simply trusting
   the identity in the proxy token.

 * Allow WebAuthExtraRedirect in the server and virtual host
   configuration.

 * Add support for WebAuthDoLogout in an .htaccess file.

 * Check the Cookie header for multiple webauth_at cookies and try each of
   them.  This works around a bug in IE 7 where bar.com cookies are sent
   to foo.bar.com as well as the foo.bar.com cookies.

mod_webauthldap:

 * User request: There's no inherent reason why mod_webauthldap needs to
   be limited to working with mod_webauth.  Allow additional auth types to
   be processed, or remove auth-type restrictions entirely and just rely
   on require privgroup.  This will also require using REMOTE_USER instead
   of WEBAUTH_USER and, for use with mod_auth_kerb, dealing with a
   REMOTE_USER that's qualified with the realm.

 * User request: It would be nice to support multiple keytabs and different
   credentials in different virtual hosts so that the server would switch
   credentials and see different data depending on the context.  This would
   require a significant reworking of the internals.

 * Currently, WebAuthLdapKeytab is defined to be acceptable in virtual
   hosts.  A caution should be added that it's not reasonable to define
   multiple keytabs, since the implementation currently only supports one
   set of authentication credentials.

 * Add to mod_webauthldap a way to deny access if a user is a member of a
   particular privgroup.

 * Support listing multiple privgroups on the same line in the
   mod_webauthldap module using the iterate flag.

mod_webkdc:

 * Return from a password login any additional information provided by
   the KDC, such as upcoming password expiration information.

 * Ensure there is a proper return from a password login for an expired
   password so that it can be recognized and acted on by the WebLogin
   server.

 * A better error message when one talks to the WebKDC directly with a
   browser would be nice.  The current message is rather baffling, and it
   would be good to tell the naive user to set up an application server or
   weblogin server.

 * Write a custom merging function for WebKdcLocalRealms so that the
   keywords are preserved properly.  If a keyword is set, that should
   override any list of realms, but if both the old and new configuration
   contain list of realms, they should be combined.

 * Support an "any" option for WebKdcPermittedRealms so that the default
   can be explicitly set (possibly overriding an earlier explicit list).

 * Improve logging for better metrics analysis.  More clearly indicate
   success versus failure, log clearly whether authentication was via
   username/password or via a single sign-on cookie, and find a way to
   differentiate between trusted Apache authentication and single sign-on.

WebLogin:

 * Display a message if the password prompt is forced in order to get a
   TGT for credential delegation to the destination site.

 * Add a web services interface for the WebLogin login process and
   documentation for how to parse the redirect URL and make the login
   request, returning the return URL.

 * The error page should return the appropriate HTTP error code instead of
   success.

 * Incorporate the Stanford advanced settings page into the included
   WebLogin scripts, used to set the cookie saying to use Negotiate-Auth.

 * Add a replay cache for WebLogin interactions, possibly using memcached,
   so that one cannot use the browser back button to reply a password
   login after the previous user has logged out.

 * Add a rate limit for WebLogin logins that blocks excessive failed
   password attempts for a specific user.

 * On the password change screen, when the password fails strength 
   checking in Heimdal, we get a -1765328343 (Message stream modified).
   Look into that more, as that seems a strange error code.

 * Similarly, we have not tested the similar case for MIT at all.  
   Worst case, they should only get an error message confusing for users,
   but someone should check against MIT.

Build System:

 * Compile the WebAuth version into the modules rather than getting the
   version from the webauth library.  In the webauth and webkdc modules,
   warn if the versions don't match at runtime (but proceed anyway).

Test Suite:

 * A test suite (and a redesign of the code so that it can be tested) is
   desperately needed for all the code currently embedded in Apache
   modules.

Documentation:

 * Add POD documentation for all Perl modules.  Many of the WebKDC modules
   currently don't have documentation.

 * Write design notes / internals documentation for how WebAuth is put
   together.

 * Update the docs/test-plan document and check it against the current
   implementation and the set of things that can be tested (such as SPNEGO
   and advanced configuration).

Style:

 * The mod_webauthldap module needs a lot of formatting and coding style
   cleanup.

 * All of WebAuth needs a general dead code removal pass and evaluation of
   all the places marked FIXME, spawning either entries for this list or
   removal as unimportant.

 * Change all header guards prefixed with an underscore and a capital
   letter.  Those identifiers are reserved by the C standard.
