On Sat, 2012-10-20 at 23:27 +0200, Pierre-Yves Chibon wrote: > Hi, > > So tonight I have been working on making working the jenkins OpenID > plugin [1]. > This was a little more challenging than anticipated as the plugin ask > for the url of the OpenID provider. In our case we want to point to FAS. > The 'problem' is that we ask for a username in the OpenID url, while the > plugin does not allow this. > So I came up with the attached patch which does two things: > - Allow to contact /accounts/openid/yavis/ directly (w/o running into an > error 500) which allows OpenID discovery by the client. > - Allow to authenticate even if the url asked does not contain the > username (which the case when coming from jenkins). > > I'm sending this patch for review, to me approach sounds fine, but I am > wondering if the second change here is reducing the security or not. > For comparison, google seems to allow url not containing the username, > just let the user log-in in if he is not already. So for the record, we have applied the changes in stg. I tested on ask: stg doesn't work maybe because of ssl but testing from dev01: works: http://fas01.dev.fedoraproject.org/accounts/openid/yadis/ http://fas01.dev.fedoraproject.org/accounts/openid/yadis/<user> http://fas01.dev.fedoraproject.org/accounts/openid/id/<user> On pypi: works: https://admin.stg.fedoraproject.org/accounts/openid/yadis/<user> https://fas01.dev.fedoraproject.org/accounts/openid/id/<user> http://fas01.dev.fedoraproject.org/accounts/openid/yadis/<user> http://fas01.dev.fedoraproject.org/accounts/openid/id/<user> both https://admin.stg.fedoraproject.org/accounts/openid/yadis/ http://fas01.dev.fedoraproject.org/accounts/openid/yadis/ Do not work, we suspect pypi doesn't allow discovery. Since it seems we are not breaking current behavior, I will push this to upstream and to production. Pierre _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
