MyFedora cross domain authentication issues

Toshio Kuratomi a.badger at gmail.com
Sat Mar 15 04:30:35 UTC 2008 

John (J5) Palmieri wrote:
> On Thu, 2008-03-13 at 17:59 -0500, Toshio Kuratomi wrote:
>> J5: Look at how jsonfas is implemented and tell me if that would for ths 
>> model.
>>
>> bzr branch bzr://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel
>>
>> cd python-fedora-devel/fedora/tg/identity
>> vim jsonfasprovider.py
>> # Take a look at JsonFasIdentity
>>
>> -Toshio
> 
> It look promising though I am not totally sure how it works.  Let me see
> if I get this right. At the start of the proxied request (basically just
> a TG controller in my domain which is called via JSON) I create a
> JsonFasIdentity and supply it with the user, username and password using
> the tg.identity object or is that the JsonFasIdentity?  It will then set
> the correct cookies for the next link.  I make my next JSON call to a
> FAS2 enabled resource like Bodhi and Bodhi treats me as if I was logged
> in?  Is this correct?  Do I call logout on the JsonFasIdentity object?
> Can this stand up to being called 10 times per page load for each query
> I need to make?
> 

This is how jsonfasprovider works:

1) The user visits myfedora and enters a username/password to log in.
2) The login request uses jsonfasprovider to authenticate the user 
against fas.    Fas allows the user and sends a cookie back to myfedora.
3) myfedora (still via jsonfasprovider) sets the cookie on the user's 
browser.

This applies to myfedora because myfedora can use a similar method to 
send the user's authentication token to Bodhi.  You'll inherit from 
BaseClient similar to what JsonFasIdentity does but targeted at Bodhi's 
location instead of FAS (Call it BodhiClient, for now).

1) Logged in user accesses myfedora
2) You instantiate a BodhiClient object.
3) You set or have BodhiClient set _sessionCookie with the visit_key 
(available from identity.current.visit_key)
4) You call or have BodhiClient send_request() to retrieve your data. 
(Remember to specify auth=True since the client needs to retrieve the 
data for the authenticated user.)
5) Operate on the data.

So you are proxying the session cookie that the user sends to you to the 
actual server that is providing the information.

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080314/79273ead/attachment.bin

More information about the infrastructure mailing list