KARL3

Prototype of authenticating against OAuth2

Bug #1027416 reported by Paul Everitt on 2012-07-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	KARL3	Fix Released	Medium	Carlos de la Guardia	KARL3 m115

Bug Description

We need Carlos to learn more about the patterns and anti-patterns about using an external identity/authentication service *in addition to* a built-in Pyramid auth system.

Let's use Substance D as the basis for this learning. Make a fork of Substance D which allows logging in with either a Substance D username/password or a Twitter login. Both should wind up binding to a principal. I suspect looking at how Ptah Crowd did it might be a good starting point.

Don't bill more than 5 hours on this, as this is just research. See if you can answer some questions:

1) When creating the principal, should you have a knob that allows you to skip the creation of a password that's stored in Substance D? Perhaps you need a way for the Admin to turn on/off different identity schemes that a user can use.

2) What if the Twitter username doesn't match the Substance D username? Does that mean you need some index to quickly scan all the users and find one with a Twitter username that matches?

3) How does this impact the creation of an auth ticket? Presumably the Twitter part isn't done on every request, but instead, only at the point that an auth ticket is needed.

4) What kind of UX do your present to the user at login time? Put both choices on one screen and let them choose (most likely)?

Tags:

Carlos de la Guardia (cguardia) on 2012-07-23

Changed in karl3:
status:	New → In Progress

Paul Everitt (paul-agendaless) on 2012-07-23

Changed in karl3:
milestone:	m112 → m113

Revision history for this message

Carlos de la Guardia (cguardia) wrote on 2012-07-26:

Ran out of time, but managed to login as admin using external providers.

1. No knob, as user would need the password if he chooses to authenticate using substanced. Site admin can activate zero or more external providers in config.

2. This is the part that I didn't finish. We need to discuss this further.

3. After login is granted, I use remember, so the external provider is not needed anymore.

4. We present the option of logging any using any of the configured providers, including substanced as default.

I used velruse for this, which means we get several providers for testing. However, the latest development version is needed (which means you have to check out master on the substanced project and run python setup.py develop there to make it work).

https://github.com/bbangert/velruse.git

My current work is here:

https://github.com/cguardia/substanced

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2012-07-28:

Carlos, I realize you've run up against the 5 hour limit. Still, I'd like to sort out the part about connecting identities to principals. So let's put another 5 hours on this if needed and try to wrap this up in M113.

JimPGlenn (jpglenn09) on 2012-07-30

Changed in karl3:
milestone:	m113 → m114

JimPGlenn (jpglenn09) on 2012-08-06

Changed in karl3:
milestone:	m114 → m115

Revision history for this message

Carlos de la Guardia (cguardia) wrote on 2012-08-11:

An add-on for substanced implementing lessons learned is here:

https://github.com/cguardia/substanced_velruse.git

Changed in karl3:
status:	In Progress → Fix Committed

JimPGlenn (jpglenn09) on 2012-08-16

Changed in karl3:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.