Support #5407
Should Kerberos login happen without interaction?
100%
Description
I don't have kerberos configured locally so I can't tell for sure, feel free to reject if I'm wrong.
If the user has a valid kerberos ticket, the user shouldn't be stopped on authentic, the sso process should continue by itself, for a fully-automatic experience. (This may also imply that the Kerberos tab should never be displayed, as it would then only appear when the user doesn't have a ticket anyway.
Historique
Mis à jour par Benjamin Dauvergne il y a plus de 9 ans
It currently works like that using the autologin.js
script from django-kerberos
but the user still see the login page for a few milliseconds. I could have used a middleware to login automatically on the AuthnRequest reception but it would become impossible to not login using Kerberos. The autlogin.js
make an AJAX request on the Kerberos login view, which returns a JSON boolean value, if login succeed, a cookie is put to forbid autologin for the next 15 minutes.
If you do not want to login using your Kerberos account, you just need to logout and then you can see the login page without automatically logging in using Kerberos.
Mis à jour par Benjamin Dauvergne il y a plus de 9 ans
- Statut changé de Nouveau à Résolu (à déployer)
- % réalisé changé de 0 à 100
Appliqué par commit 7b8c6573decd3184b7475feb2db8155c88217acf.
Mis à jour par Benjamin Dauvergne il y a plus de 9 ans
- Statut changé de Résolu (à déployer) à Nouveau
Mis à jour par Benjamin Dauvergne il y a plus de 9 ans
- Statut changé de Nouveau à Fermé
It seems to me I answered your worries, I close.
Mis à jour par Frédéric Péters il y a plus de 9 ans
I am not sure I have all my answers yet (sorry I missed the answer as that bug got automatically marked as resolved by an unrelated commit).
(This may also imply that the Kerberos tab should never be displayed, as it would then only appear when the user doesn't have a ticket anyway)
I don't want to open another ticket for nothing but I believe this report came because cresson.entrouvert.org has a login page with Kerberos & Password tabs (in that order, Kerberos being shown by default), and that Kerberos tab didn't make sense for me (if the user has a valid kerberos ticket he shouldn't be stopped on the page, and if he does not there's no sense in showing the kerberos tab).
I understand now there's stuff happening on the client-side (that autlogin.js thing) but this shouldn't interfere (in my opinion) with what's displayed on the login page, especially not disturbing the expected flow and having to select a different tab to enter credentials.
Mis à jour par Benjamin Dauvergne il y a plus de 9 ans
- Statut changé de Fermé à Nouveau
Ok I see your point now.
The tab is needed because you may to login with your ticket, but you may also want to login normally with a login/password to test something (or you using X509 or anything else). If we always login people automatically when they have some passive credential active (an X509 certificate or a Kerberos ticket) then they are locked in this mode of authentication. What I try to do with passive authentication method is to autologin on the first try then put a cookie so that if they logout immediately they can try another authentication method.
I should probably also set this cookie on the logout view or only on the logout view.
The Kerberos tab being before the login/password one is only related to the loading order of the different authentication methods, there is maybe a need for authentication methods to provide the order they want to be loaded (maybe just with an `after` version of the get_auth_frontends()
method of the Plugin
object).
Mis à jour par Benjamin Dauvergne il y a environ 9 ans
- Statut changé de Nouveau à Information nécessaire
The Kerberos tab on cresson is not shown first now, is the problem fixed for you ?
Mis à jour par Benjamin Dauvergne il y a plus de 8 ans
Kerberos tab should only appear when the a2_just_logged_out
cookie is present (as Kerberos login should be automatic).
Mis à jour par Benjamin Dauvergne il y a plus de 8 ans
- Statut changé de Information nécessaire à Nouveau
- Version cible changé de future à 2.2.0
Mis à jour par Benjamin Dauvergne il y a environ 8 ans
- Statut changé de Nouveau à Solution déployée
It's fixed in release 1.1.0 of authentic2-auth-kerberos.
Mis à jour par Benjamin Dauvergne il y a plus de 6 ans
- Statut changé de Solution déployée à Fermé