MyFedora cross domain authentication issues

John (J5) Palmieri johnp at redhat.com
Mon Mar 17 13:51:38 UTC 2008 

On Fri, 2008-03-14 at 23:30 -0500, Toshio Kuratomi wrote:
> John (J5) Palmieri wrote:
> > On Thu, 2008-03-13 at 17:59 -0500, Toshio Kuratomi wrote:
> >> J5: Look at how jsonfas is implemented and tell me if that would for ths 
> >> model.
> >>
> >> bzr branch bzr://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel
> >>
> >> cd python-fedora-devel/fedora/tg/identity
> >> vim jsonfasprovider.py
> >> # Take a look at JsonFasIdentity
> >>
> >> -Toshio
> > 
> > It look promising though I am not totally sure how it works.  Let me see
> > if I get this right. At the start of the proxied request (basically just
> > a TG controller in my domain which is called via JSON) I create a
> > JsonFasIdentity and supply it with the user, username and password using
> > the tg.identity object or is that the JsonFasIdentity?  It will then set
> > the correct cookies for the next link.  I make my next JSON call to a
> > FAS2 enabled resource like Bodhi and Bodhi treats me as if I was logged
> > in?  Is this correct?  Do I call logout on the JsonFasIdentity object?
> > Can this stand up to being called 10 times per page load for each query
> > I need to make?
> > 
> 
> This is how jsonfasprovider works:
> 
> 1) The user visits myfedora and enters a username/password to log in.
> 2) The login request uses jsonfasprovider to authenticate the user 
> against fas.    Fas allows the user and sends a cookie back to myfedora.
> 3) myfedora (still via jsonfasprovider) sets the cookie on the user's 
> browser.
> 
> This applies to myfedora because myfedora can use a similar method to 
> send the user's authentication token to Bodhi.  You'll inherit from 
> BaseClient similar to what JsonFasIdentity does but targeted at Bodhi's 
> location instead of FAS (Call it BodhiClient, for now).
> 
> 1) Logged in user accesses myfedora
> 2) You instantiate a BodhiClient object.
> 3) You set or have BodhiClient set _sessionCookie with the visit_key 
> (available from identity.current.visit_key)
> 4) You call or have BodhiClient send_request() to retrieve your data. 
> (Remember to specify auth=True since the client needs to retrieve the 
> data for the authenticated user.)
> 5) Operate on the data.
> 
> So you are proxying the session cookie that the user sends to you to the 
> actual server that is providing the information.
> 
> -Toshio

Win!!! I'll try to get this working soon. Thanks.


-- 
John (J5) Palmieri <johnp at redhat.com>

More information about the infrastructure mailing list