Project

General

Profile

Support #5407

Should Kerberos login happen without interaction?

Added by Frédéric Péters almost 5 years ago. Updated over 1 year ago.

Status:
Fermé
Priority:
Normal
Category:
-
Target version:
Start date:
08 Sep 2014
Due date:
31 Mar 2016
% Done:

100%

Patch proposed:
No
Planning:
No

Description

I don't have kerberos configured locally so I can't tell for sure, feel free to reject if I'm wrong.

If the user has a valid kerberos ticket, the user shouldn't be stopped on authentic, the sso process should continue by itself, for a fully-automatic experience. (This may also imply that the Kerberos tab should never be displayed, as it would then only appear when the user doesn't have a ticket anyway.

History

#1 Updated by Benjamin Dauvergne almost 5 years ago

It currently works like that using the autologin.js script from django-kerberos but the user still see the login page for a few milliseconds. I could have used a middleware to login automatically on the AuthnRequest reception but it would become impossible to not login using Kerberos. The autlogin.js make an AJAX request on the Kerberos login view, which returns a JSON boolean value, if login succeed, a cookie is put to forbid autologin for the next 15 minutes.

If you do not want to login using your Kerberos account, you just need to logout and then you can see the login page without automatically logging in using Kerberos.

#2 Updated by Benjamin Dauvergne almost 5 years ago

  • Status changed from Nouveau to Résolu (à déployer)
  • % Done changed from 0 to 100

#3 Updated by Benjamin Dauvergne almost 5 years ago

  • Status changed from Résolu (à déployer) to Nouveau

#4 Updated by Benjamin Dauvergne over 4 years ago

  • Status changed from Nouveau to Fermé

It seems to me I answered your worries, I close.

#5 Updated by Frédéric Péters over 4 years ago

I am not sure I have all my answers yet (sorry I missed the answer as that bug got automatically marked as resolved by an unrelated commit).

(This may also imply that the Kerberos tab should never be displayed, as it would then only appear when the user doesn't have a ticket anyway)

I don't want to open another ticket for nothing but I believe this report came because cresson.entrouvert.org has a login page with Kerberos & Password tabs (in that order, Kerberos being shown by default), and that Kerberos tab didn't make sense for me (if the user has a valid kerberos ticket he shouldn't be stopped on the page, and if he does not there's no sense in showing the kerberos tab).

I understand now there's stuff happening on the client-side (that autlogin.js thing) but this shouldn't interfere (in my opinion) with what's displayed on the login page, especially not disturbing the expected flow and having to select a different tab to enter credentials.

#6 Updated by Benjamin Dauvergne over 4 years ago

  • Status changed from Fermé to Nouveau

Ok I see your point now.

The tab is needed because you may to login with your ticket, but you may also want to login normally with a login/password to test something (or you using X509 or anything else). If we always login people automatically when they have some passive credential active (an X509 certificate or a Kerberos ticket) then they are locked in this mode of authentication. What I try to do with passive authentication method is to autologin on the first try then put a cookie so that if they logout immediately they can try another authentication method.

I should probably also set this cookie on the logout view or only on the logout view.

The Kerberos tab being before the login/password one is only related to the loading order of the different authentication methods, there is maybe a need for authentication methods to provide the order they want to be loaded (maybe just with an `after` version of the get_auth_frontends() method of the Plugin object).

#7 Updated by Benjamin Dauvergne over 4 years ago

  • Status changed from Nouveau to Information nécessaire

The Kerberos tab on cresson is not shown first now, is the problem fixed for you ?

#8 Updated by Benjamin Dauvergne over 4 years ago

  • Target version set to future

#9 Updated by Benjamin Dauvergne over 3 years ago

  • Due date set to 31 Mar 2016

#10 Updated by Brice Mallet over 3 years ago

  • Assignee set to Benjamin Dauvergne

#11 Updated by Benjamin Dauvergne over 3 years ago

Kerberos tab should only appear when the a2_just_logged_out cookie is present (as Kerberos login should be automatic).

#12 Updated by Benjamin Dauvergne over 3 years ago

  • Target version changed from future to 2.2.0
  • Status changed from Information nécessaire to Nouveau

#13 Updated by Benjamin Dauvergne over 3 years ago

  • Status changed from Nouveau to Solution déployée

It's fixed in release 1.1.0 of authentic2-auth-kerberos.

#14 Updated by Benjamin Dauvergne over 1 year ago

  • Status changed from Solution déployée to Fermé

Also available in: Atom PDF