Edgewall Software
Modify

Opened 5 years ago

Last modified 12 months ago

#12257 new enhancement

Add single-sign-on authentication as an optional component

Reported by: Ryan J Ollos Owned by:
Priority: normal Milestone: next-major-releases
Component: web frontend Version:
Severity: normal Keywords: authentication
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Ryan J Ollos)

After reviewing SharedCookieAuthPlugin, #12251 and #8486, it looks like it would be fairly straightforward to add single-sign-on authentication as an optional component (in tracopt.web.auth).

Attachments (0)

Change History (13)

comment:1 by Ryan J Ollos, 5 years ago

Component: generalweb frontend
Type: defectenhancement

comment:2 by Ryan J Ollos, 5 years ago

Description: modified (diff)

comment:3 by Ryan J Ollos, 5 years ago

Milestone: next-major-releases1.2

Tentatively targeting this to 1.2, but that will depend on how the implementation proceeds. I'm considering that it might be cleanest to add the feature to trac.web.auth.LoginModule rather than making it a separate optional Component.

Last edited 5 years ago by Ryan J Ollos (previous) (diff)

comment:4 by Ryan J Ollos, 5 years ago

Owner: set to Ryan J Ollos
Status: newassigned

comment:5 by Ryan J Ollos, 4 years ago

TODO Document obsolescence of SharedCookieAuthPlugin at 1.1/TracUpgrade and SharedCookieAuthPlugin.

TODO Add documentation for single sign-on. th:wiki:CookBook/AccountManagerPluginConfiguration#SingleSignOn is a useful reference point.

Last edited 4 years ago by Ryan J Ollos (previous) (diff)

in reply to:  3 comment:6 by Ryan J Ollos, 4 years ago

Replying to Ryan J Ollos:

I'm considering that it might be cleanest to add the feature to trac.web.auth.LoginModule rather than making it a separate optional Component.

log:rjollos.git:t12257_single_sign_on implements the feature in trac.web.auth.LoginModule. The implementation is similar to AccountManagerPlugin in that the auth cookie is created in all environments that share an auth cookie path. This differs from the implementation of SharedCookieAuthPlugin, which uses an auth cookie that is stored in only one of the environments. In the latter case, on every request RequestDispatcher.authenticate is called for each environment until authentication succeeds.

I need to add tests, and add support for sharing cookies across subdomains (#12251).

Last edited 4 years ago by Ryan J Ollos (previous) (diff)

comment:7 by Ryan J Ollos, 4 years ago

Additional changes in log:rjollos.git:t12257_single_sign_on. I think these are working correctly for both auth_cookie_path and auth_cookie_domain.

I tested the auth_cookie_domain functionality using Apache. I had a virtualhost for each subdomain and found it necessary to set both trac.env_dir and trac.env_parent_dir in the trac.wsgi script. The latter is necessary so that Trac can discover the other environments. There might be a more logical way to configure the server to achieve the following domain to environment mapping:

  • sub1.domain.com → /var/envs/env1
  • sub2.domain.com → /var/envs/env2

comment:8 by Jun Omae, 4 years ago

I don't think we should change web/auth.py. Only web/main.py should use open_environment(). That is dirty hack and that should be optional feature at least.

Last edited 4 years ago by Jun Omae (previous) (diff)

comment:9 by Ryan J Ollos, 4 years ago

I don't agree, but do you have a better idea of how to implement rather than putting it in tracopt?

comment:10 by Jun Omae, 4 years ago

In the proposed branch, it would insert auth_cookie records in current and other environments. Therefore, if user1 accesses env1 and user2 accesses env2 at the same time, it would lead dead lock on SQLite database.

  • user1: start transaction on env1 → start transaction on env2 → commit on env2 → commit on env1
  • user2: start transaction on env2 → start transaction on env1 → commit on env1 → commit on env2

Another thing, I think env.shutdown(threading._get_ident()) should be called after using Environment instance.

comment:11 by Ryan J Ollos, 4 years ago

Milestone: 1.21.3.1

Let me know if you have a better idea on how to implement the feature. I will continue to think on it.

comment:12 by Ryan J Ollos, 4 years ago

Milestone: 1.3.1next-major-releases

comment:13 by Ryan J Ollos, 12 months ago

Owner: Ryan J Ollos removed
Status: assignednew

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.