Add single-sign-on authentication as an optional component

[Ryan J Ollos]

After reviewing ​SharedCookieAuthPlugin, #12251 and #8486, it looks like it would be fairly straightforward to add single-sign-on authentication as an optional component (in tracopt.web.auth).

[Ryan J Ollos]

Tentatively targeting this to 1.2, but that will depend on how the implementation proceeds. I'm considering that it might be cleanest to add the feature to trac.web.auth.LoginModule rather than making it a separate optional Component.

[Ryan J Ollos]

TODO Document obsolescence of SharedCookieAuthPlugin at 1.1/TracUpgrade and ​SharedCookieAuthPlugin.

TODO Add documentation for single sign-on. ​th:wiki:CookBook/AccountManagerPluginConfiguration#SingleSignOn is a useful reference point.

[Ryan J Ollos]

Replying to Ryan J Ollos:

I'm considering that it might be cleanest to add the feature to trac.web.auth.LoginModule rather than making it a separate optional Component.

log:rjollos.git:t12257_single_sign_on implements the feature in trac.web.auth.LoginModule. The implementation is similar to ​AccountManagerPlugin in that the auth cookie is created in all environments that share an auth cookie path. This differs from the implementation of SharedCookieAuthPlugin, which uses an auth cookie that is stored in only one of the environments. In the latter case, on every request RequestDispatcher.authenticate is called for each environment until authentication succeeds.

I need to add tests, and add support for sharing cookies across subdomains (#12251).

[Ryan J Ollos]

Additional changes in log:rjollos.git:t12257_single_sign_on. I think these are working correctly for both auth_cookie_path and auth_cookie_domain.

I tested the auth_cookie_domain functionality using Apache. I had a virtualhost for each subdomain and found it necessary to set both trac.env_dir and trac.env_parent_dir in the trac.wsgi script. The latter is necessary so that Trac can discover the other environments. There might be a more logical way to configure the server to achieve the following domain to environment mapping:

• sub1.domain.com → /var/envs/env1
• sub2.domain.com → /var/envs/env2

[Jun Omae]

I don't think we should change web/auth.py. Only web/main.py should use open_environment(). That is dirty hack and that should be optional feature at least.

[Ryan J Ollos]

I don't agree, but do you have a better idea of how to implement rather than putting it in tracopt?

[Jun Omae]

In the proposed branch, it would insert auth_cookie records in current and other environments. Therefore, if user1 accesses env1 and user2 accesses env2 at the same time, it would lead dead lock on SQLite database.

• user1: start transaction on env1 → start transaction on env2 → commit on env2 → commit on env1
• user2: start transaction on env2 → start transaction on env1 → commit on env1 → commit on env2

Another thing, I think env.shutdown(threading._get_ident()) should be called after using Environment instance.

[Ryan J Ollos]

Let me know if you have a better idea on how to implement the feature. I will continue to think on it.