MyFedora cross domain authentication issues
John (J5) Palmieri
johnp at redhat.com
Mon Mar 17 13:51:38 UTC 2008
On Fri, 2008-03-14 at 23:30 -0500, Toshio Kuratomi wrote:
> John (J5) Palmieri wrote:
> > On Thu, 2008-03-13 at 17:59 -0500, Toshio Kuratomi wrote:
> >> J5: Look at how jsonfas is implemented and tell me if that would for ths
> >> model.
> >>
> >> bzr branch bzr://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel
> >>
> >> cd python-fedora-devel/fedora/tg/identity
> >> vim jsonfasprovider.py
> >> # Take a look at JsonFasIdentity
> >>
> >> -Toshio
> >
> > It look promising though I am not totally sure how it works. Let me see
> > if I get this right. At the start of the proxied request (basically just
> > a TG controller in my domain which is called via JSON) I create a
> > JsonFasIdentity and supply it with the user, username and password using
> > the tg.identity object or is that the JsonFasIdentity? It will then set
> > the correct cookies for the next link. I make my next JSON call to a
> > FAS2 enabled resource like Bodhi and Bodhi treats me as if I was logged
> > in? Is this correct? Do I call logout on the JsonFasIdentity object?
> > Can this stand up to being called 10 times per page load for each query
> > I need to make?
> >
>
> This is how jsonfasprovider works:
>
> 1) The user visits myfedora and enters a username/password to log in.
> 2) The login request uses jsonfasprovider to authenticate the user
> against fas. Fas allows the user and sends a cookie back to myfedora.
> 3) myfedora (still via jsonfasprovider) sets the cookie on the user's
> browser.
>
> This applies to myfedora because myfedora can use a similar method to
> send the user's authentication token to Bodhi. You'll inherit from
> BaseClient similar to what JsonFasIdentity does but targeted at Bodhi's
> location instead of FAS (Call it BodhiClient, for now).
>
> 1) Logged in user accesses myfedora
> 2) You instantiate a BodhiClient object.
> 3) You set or have BodhiClient set _sessionCookie with the visit_key
> (available from identity.current.visit_key)
> 4) You call or have BodhiClient send_request() to retrieve your data.
> (Remember to specify auth=True since the client needs to retrieve the
> data for the authenticated user.)
> 5) Operate on the data.
>
> So you are proxying the session cookie that the user sends to you to the
> actual server that is providing the information.
>
> -Toshio
Win!!! I'll try to get this working soon. Thanks.
--
John (J5) Palmieri <johnp at redhat.com>
More information about the infrastructure
mailing list