Should Kerberos login happen without interaction?
I don't have kerberos configured locally so I can't tell for sure, feel free to reject if I'm wrong.
If the user has a valid kerberos ticket, the user shouldn't be stopped on authentic, the sso process should continue by itself, for a fully-automatic experience. (This may also imply that the Kerberos tab should never be displayed, as it would then only appear when the user doesn't have a ticket anyway.
Updated by Benjamin Dauvergne over 8 years ago
It currently works like that using the
autologin.js script from
django-kerberos but the user still see the login page for a few milliseconds. I could have used a middleware to login automatically on the AuthnRequest reception but it would become impossible to not login using Kerberos. The
autlogin.js make an AJAX request on the Kerberos login view, which returns a JSON boolean value, if login succeed, a cookie is put to forbid autologin for the next 15 minutes.
If you do not want to login using your Kerberos account, you just need to logout and then you can see the login page without automatically logging in using Kerberos.
Updated by Frédéric Péters about 8 years ago
I am not sure I have all my answers yet (sorry I missed the answer as that bug got automatically marked as resolved by an unrelated commit).
(This may also imply that the Kerberos tab should never be displayed, as it would then only appear when the user doesn't have a ticket anyway)
I don't want to open another ticket for nothing but I believe this report came because cresson.entrouvert.org has a login page with Kerberos & Password tabs (in that order, Kerberos being shown by default), and that Kerberos tab didn't make sense for me (if the user has a valid kerberos ticket he shouldn't be stopped on the page, and if he does not there's no sense in showing the kerberos tab).
I understand now there's stuff happening on the client-side (that autlogin.js thing) but this shouldn't interfere (in my opinion) with what's displayed on the login page, especially not disturbing the expected flow and having to select a different tab to enter credentials.
Updated by Benjamin Dauvergne about 8 years ago
- Status changed from Fermé to Nouveau
Ok I see your point now.
The tab is needed because you may to login with your ticket, but you may also want to login normally with a login/password to test something (or you using X509 or anything else). If we always login people automatically when they have some passive credential active (an X509 certificate or a Kerberos ticket) then they are locked in this mode of authentication. What I try to do with passive authentication method is to autologin on the first try then put a cookie so that if they logout immediately they can try another authentication method.
I should probably also set this cookie on the logout view or only on the logout view.
The Kerberos tab being before the login/password one is only related to the loading order of the different authentication methods, there is maybe a need for authentication methods to provide the order they want to be loaded (maybe just with an `after` version of the
get_auth_frontends() method of the