Modify

Opened 4 years ago

Last modified 6 months ago

#10827 new defect

Obscure authentication scheme

Reported by: anatoly techtonik Owned by:
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: authentication API
Cc: Ryan J Ollos Trac Release: 0.11

Description

This is a reply to comment:21:ticket:8545:

The #10826 is a proof that while implemented solution in #8545 might fix some problems it is still a hack.

A good fix will require documenting authentication process properly, covering two user stories.

  1. How does Trac detects authenticated users internally?
  2. How different components authenticate users at the same time?

The next step is decouple REMOTE_USER (external auth) from Trac Auth plugins (internal auth) and provide internal auth API that will solve the following problems:

  1. check if user is already authenticated
  2. authenticate user
  3. audit authentication process
  4. skip authentication if 1. is true

Attachments (0)

Change History (2)

comment:1 in reply to:  description Changed 4 years ago by Steffen Hoffmann

Cc: Ryan J Ollos added; anonymous removed
Keywords: authentication API added
Trac Release: 0.11

Replying to techtonik:

This is a reply to comment:21:ticket:8545:

The #10826 is a proof that while implemented solution in #8545 might fix some problems it is still a hack.

Oh, patch welcome.

A good fix will require documenting authentication process properly, covering two user stories.

  1. How does Trac detects authenticated users internally?
  2. How different components authenticate users at the same time?

Why? It'll require to understand, sure. But documenting Trac's authentication belongs into Trac's own Wiki. Setting Trac standards is a core development thing as well, and will not resolve issues with existing Trac versions anyway.

Clearly whatever deficiencies you see behind those requirements, I will not accept them as defect for this plugin, maybe as enhancement. OTOH I agree, that setting (better) standards is a good thing, and pushing Trac development is a noble task. Btw, you're free to contribute more/better wiki documentation at a suitable place, even more if you're able to give good advise.

The next step is decouple REMOTE_USER (external auth) from Trac Auth plugins (internal auth)

Hm, I consider Trac plugins 'external' to Trac core as well, not only web-servers, xmlrpclib and others. AccountManagerPlugin just wraps itself tightly around Trac core code, because its not easy to hook into it by other means.

and provide internal auth API that will solve the following problems:

  1. check if user is already authenticated
  2. authenticate user
  3. audit authentication process
  4. skip authentication if 1. is true

Especially the meaning of 3 is not clear to me here. 4 should be easy, if we have consensus that is should work like this.

comment:2 Changed 6 months ago by Ryan J Ollos

Owner: Steffen Hoffmann deleted

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.