Hi,
So tonight I have been working on making working the jenkins OpenID
plugin [1].
This was a little more challenging than anticipated as the plugin ask
for the url of the OpenID provider. In our case we want to point to FAS.
The 'problem' is that we ask for a username in the OpenID url, while the
plugin does not allow this.
So I came up with the attached patch which does two things:
- Allow to contact /accounts/openid/yavis/ directly (w/o running into an
error 500) which allows OpenID discovery by the client.
- Allow to authenticate even if the url asked does not contain the
username (which the case when coming from jenkins).
I'm sending this patch for review, to me approach sounds fine, but I am
wondering if the second change here is reducing the security or not.
For comparison, google seems to allow url not containing the username,
just let the user log-in in if he is not already.
Good week-end to all,
Pierre
[1] https://wiki.jenkins-ci.org/display/JENKINS/OpenID+plugin
From b4760c33bf81fd7ba60a74e8f3c43530003d8fec Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@xxxxxxxxxxxx>
Date: Sat, 20 Oct 2012 23:07:16 +0200
Subject: [PATCH] Rework openID
From this change we allow OpenID client to hit against
accounts/openid/yadis/ instead of /accounts/openid/yadis/<username>
and still be able to authenticate.
The first change allows to call accounts/openid/yadis/ directly
without running into an error 500 and allowing discovery on the client
side.
The second change just allows to authenticate for a username even if
the username was not provided at first.
---
fas/openid_samadhi.py | 10 ++--------
1 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/fas/openid_samadhi.py b/fas/openid_samadhi.py
index a2a72e0..1b57e6a 100644
--- a/fas/openid_samadhi.py
+++ b/fas/openid_samadhi.py
@@ -88,14 +88,11 @@ class OpenID(controllers.Controller):
return results
@expose(template="fas.templates.openid.yadis", format="xml", content_type="application/xrds+xml")
- def yadis(self, username=None):
+ def yadis(self, username=''):
results = dict(discover = discover,
endpoint_url = endpoint_url,
yadis_url = build_url(yadis_base_url + '/' + username),
- user_url = None)
-
- if username:
- results['user_url'] = build_url(id_base_url + '/' + username)
+ user_url = build_url(id_base_url + '/' + username))
return results
@@ -125,9 +122,6 @@ class OpenID(controllers.Controller):
if not cla_done(person):
return False
- if build_url(id_base_url + '/' + identity.current.user_name) != openid_identity:
- return False
-
key = (openid_identity, openid_trust_root)
return session.get(key)
--
1.7.1
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
