Support #5407: Should Kerberos login happen without interaction? - Authentic 2 - Redmine Entr’ouvert

Support #5407

Should Kerberos login happen without interaction?

Ajouté par Frédéric Péters il y a plus de 9 ans. Mis à jour il y a plus de 6 ans.

Statut:

Fermé

Priorité:

Normal

Assigné à:

Benjamin Dauvergne

Catégorie:

Version cible:

2.2.0

Début:

08 septembre 2014

Echéance:

31 mars 2016

% réalisé:

100%

Temps estimé:

Patch proposed:

Non

Planning:

Description

I don't have kerberos configured locally so I can't tell for sure, feel free to reject if I'm wrong.

If the user has a valid kerberos ticket, the user shouldn't be stopped on authentic, the sso process should continue by itself, for a fully-automatic experience. (This may also imply that the Kerberos tab should never be displayed, as it would then only appear when the user doesn't have a ticket anyway.

Historique

Mis à jour par Benjamin Dauvergne il y a plus de 9 ans

It currently works like that using the autologin.js script from django-kerberos but the user still see the login page for a few milliseconds. I could have used a middleware to login automatically on the AuthnRequest reception but it would become impossible to not login using Kerberos. The autlogin.js make an AJAX request on the Kerberos login view, which returns a JSON boolean value, if login succeed, a cookie is put to forbid autologin for the next 15 minutes.

If you do not want to login using your Kerberos account, you just need to logout and then you can see the login page without automatically logging in using Kerberos.

Mis à jour par Benjamin Dauvergne il y a plus de 9 ans

Statut changé de Nouveau à Résolu (à déployer)
% réalisé changé de 0 à 100

Appliqué par commit 7b8c6573decd3184b7475feb2db8155c88217acf.

Mis à jour par Benjamin Dauvergne il y a plus de 9 ans

Statut changé de Résolu (à déployer) à Nouveau

Mis à jour par Benjamin Dauvergne il y a plus de 9 ans

Statut changé de Nouveau à Fermé

It seems to me I answered your worries, I close.

Mis à jour par Frédéric Péters il y a plus de 9 ans

I am not sure I have all my answers yet (sorry I missed the answer as that bug got automatically marked as resolved by an unrelated commit).

(This may also imply that the Kerberos tab should never be displayed, as it would then only appear when the user doesn't have a ticket anyway)

I don't want to open another ticket for nothing but I believe this report came because cresson.entrouvert.org has a login page with Kerberos & Password tabs (in that order, Kerberos being shown by default), and that Kerberos tab didn't make sense for me (if the user has a valid kerberos ticket he shouldn't be stopped on the page, and if he does not there's no sense in showing the kerberos tab).

I understand now there's stuff happening on the client-side (that autlogin.js thing) but this shouldn't interfere (in my opinion) with what's displayed on the login page, especially not disturbing the expected flow and having to select a different tab to enter credentials.

Mis à jour par Benjamin Dauvergne il y a plus de 9 ans

Statut changé de Fermé à Nouveau

Ok I see your point now.

The tab is needed because you may to login with your ticket, but you may also want to login normally with a login/password to test something (or you using X509 or anything else). If we always login people automatically when they have some passive credential active (an X509 certificate or a Kerberos ticket) then they are locked in this mode of authentication. What I try to do with passive authentication method is to autologin on the first try then put a cookie so that if they logout immediately they can try another authentication method.

I should probably also set this cookie on the logout view or only on the logout view.

The Kerberos tab being before the login/password one is only related to the loading order of the different authentication methods, there is maybe a need for authentication methods to provide the order they want to be loaded (maybe just with an `after` version of the get_auth_frontends() method of the Plugin object).