Re: FAS OpenID patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2012-10-20 at 23:27 +0200, Pierre-Yves Chibon wrote:
> Hi,
> 
> So tonight I have been working on making working the jenkins OpenID
> plugin [1].
> This was a little more challenging than anticipated as the plugin ask
> for the url of the OpenID provider. In our case we want to point to FAS.
> The 'problem' is that we ask for a username in the OpenID url, while the
> plugin does not allow this.
> So I came up with the attached patch which does two things:
> - Allow to contact /accounts/openid/yavis/ directly (w/o running into an
> error 500) which allows OpenID discovery by the client.
> - Allow to authenticate even if the url asked does not contain the
> username (which the case when coming from jenkins).
> 
> I'm sending this patch for review, to me approach sounds fine, but I am
> wondering if the second change here is reducing the security or not.
> For comparison, google seems to allow url not containing the username,
> just let the user log-in in if he is not already.

So for the record, we have applied the changes in stg.

I tested on ask:
stg doesn't work maybe because of ssl
but testing from dev01:
works:
  http://fas01.dev.fedoraproject.org/accounts/openid/yadis/
  http://fas01.dev.fedoraproject.org/accounts/openid/yadis/<user>
  http://fas01.dev.fedoraproject.org/accounts/openid/id/<user>

On pypi:
works:
  https://admin.stg.fedoraproject.org/accounts/openid/yadis/<user>
  https://fas01.dev.fedoraproject.org/accounts/openid/id/<user>
  http://fas01.dev.fedoraproject.org/accounts/openid/yadis/<user>
  http://fas01.dev.fedoraproject.org/accounts/openid/id/<user>
both
  https://admin.stg.fedoraproject.org/accounts/openid/yadis/
  http://fas01.dev.fedoraproject.org/accounts/openid/yadis/
Do not work, we suspect pypi doesn't allow discovery.


Since it seems we are not breaking current behavior, I will push this to
upstream and to production.

Pierre
  
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure



[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux