Modify

Opened 2 years ago

Last modified 2 years ago

#10827 new defect

Obscure authentication scheme

Reported by: techtonik Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: authentication API
Cc: rjollos Trac Release: 0.11

Description

This is a reply to comment:21:ticket:8545:

The #10826 is a proof that while implemented solution in #8545 might fix some problems it is still a hack.

A good fix will require documenting authentication process properly, covering two user stories.

  1. How does Trac detects authenticated users internally?
  2. How different components authenticate users at the same time?

The next step is decouple REMOTE_USER (external auth) from Trac Auth plugins (internal auth) and provide internal auth API that will solve the following problems:

  1. check if user is already authenticated
  2. authenticate user
  3. audit authentication process
  4. skip authentication if 1. is true

Attachments (0)

Change History (1)

comment:1 in reply to: ↑ description Changed 2 years ago by hasienda

  • Cc rjollos added; anonymous removed
  • Keywords authentication API added
  • Trac Release set to 0.11

Replying to techtonik:

This is a reply to comment:21:ticket:8545:

The #10826 is a proof that while implemented solution in #8545 might fix some problems it is still a hack.

Oh, patch welcome.

A good fix will require documenting authentication process properly, covering two user stories.

  1. How does Trac detects authenticated users internally?
  2. How different components authenticate users at the same time?

Why? It'll require to understand, sure. But documenting Trac's authentication belongs into Trac's own Wiki. Setting Trac standards is a core development thing as well, and will not resolve issues with existing Trac versions anyway.

Clearly whatever deficiencies you see behind those requirements, I will not accept them as defect for this plugin, maybe as enhancement. OTOH I agree, that setting (better) standards is a good thing, and pushing Trac development is a noble task. Btw, you're free to contribute more/better wiki documentation at a suitable place, even more if you're able to give good advise.

The next step is decouple REMOTE_USER (external auth) from Trac Auth plugins (internal auth)

Hm, I consider Trac plugins 'external' to Trac core as well, not only web-servers, xmlrpclib and others. AccountManagerPlugin just wraps itself tightly around Trac core code, because its not easy to hook into it by other means.

and provide internal auth API that will solve the following problems:

  1. check if user is already authenticated
  2. authenticate user
  3. audit authentication process
  4. skip authentication if 1. is true

Especially the meaning of 3 is not clear to me here. 4 should be easy, if we have consensus that is should work like this.

Add Comment

Modify Ticket

Action
as new The owner will remain hasienda.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.