bloodhound-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olemis Lang <ole...@gmail.com>
Subject Re: Help for alternate authentication module
Date Tue, 14 May 2013 16:18:38 GMT
On 5/14/13, Chris Gamache <cgamache@gmail.com> wrote:
> Thanks for the detailed response. After I finish this email I'll dig in and
> digest all those links.
>
[...]
>
> Ultimately, I want to hook Bloodhound into our oAuth 2.0 fabric. We're
> slowly converting away from the cookie token in favor of oAuth 2.0.

Good !
I feel very identified with OpenId + oAuth combination . In the near
future I'm eager to see enhanced support for OpenId and Persona in
Apacheā„¢ Bloodhound .

> I fear
> that would require more customization to the codebase than the simple
> cookie token would (storage for tokens/refresh tokens, redirects to
> out-of-band authentication forms, re-authorization, etc.).

AFAICT , you'll definitely need those

> The plan was to
> take baby steps and dig in on oAuth after Bloodhound is well established
> within our application suite.
>

After reading this and reviewing Account Manager code, it seems to me
that you'll definitely need a custom IAuthenticator and ensure that
AccountManager will not intercept auth handling before your plugin
(... by disabling the former's LoginModule maybe ...) and still be
able to read your own oAuth cookie .

Hint if you still want to keep AccountManager's LoginModule :

Maybe there's something to improve in either environment configuration
or AccountManager's LoginModule . Trac's is very simple

{{{#!py

        authname = None
        if req.remote_user:     # Condition 1
            authname = req.remote_user
        elif req.incookie.has_key('trac_auth'):    # Condition 2
            authname = self._get_name_for_cookie(req,
                                                 req.incookie['trac_auth'])

        if not authname:
            return None

        if self.ignore_case:
            authname = authname.lower()

        return authname
}}}

If using a custom cookie then condition 2 should never be True and ,
unless req.environ['REMOTE_USER'] is set , the next IAuthenticator in
the loop (e.g. the one for your oAuth cookie) will be called . Based
on this I'd suggest you to :

  1. Check that REMOTE_USER is not set by the web server
  2. Check that 'trac_auth' cookie is not set in the client browser
      and thus sent to he server as part of the request .
  3. Ensure [account-manager] environ_auth_overwrite option
      is set to false
  4. Ensure you either have no active password store configured or ...
  5. ... there's no store able to authenticate target user ( usually
      retrieved from req.args['user'] ).

Notice: Suggestions from (3) on are due to the fact that AM login
module wraps built-in authenticate method and , under certain
conditions , sets REMOTE_USER explicitly .

-- 
Regards,

Olemis.

Mime
View raw message