FAS OpenID patch
Pierre-Yves Chibon
pingou at pingoured.fr
Tue Oct 23 21:15:28 UTC 2012
On Sat, 2012-10-20 at 23:27 +0200, Pierre-Yves Chibon wrote:
> Hi,
>
> So tonight I have been working on making working the jenkins OpenID
> plugin [1].
> This was a little more challenging than anticipated as the plugin ask
> for the url of the OpenID provider. In our case we want to point to FAS.
> The 'problem' is that we ask for a username in the OpenID url, while the
> plugin does not allow this.
> So I came up with the attached patch which does two things:
> - Allow to contact /accounts/openid/yavis/ directly (w/o running into an
> error 500) which allows OpenID discovery by the client.
> - Allow to authenticate even if the url asked does not contain the
> username (which the case when coming from jenkins).
>
> I'm sending this patch for review, to me approach sounds fine, but I am
> wondering if the second change here is reducing the security or not.
> For comparison, google seems to allow url not containing the username,
> just let the user log-in in if he is not already.
So for the record, we have applied the changes in stg.
I tested on ask:
stg doesn't work maybe because of ssl
but testing from dev01:
works:
http://fas01.dev.fedoraproject.org/accounts/openid/yadis/
http://fas01.dev.fedoraproject.org/accounts/openid/yadis/<user>
http://fas01.dev.fedoraproject.org/accounts/openid/id/<user>
On pypi:
works:
https://admin.stg.fedoraproject.org/accounts/openid/yadis/<user>
https://fas01.dev.fedoraproject.org/accounts/openid/id/<user>
http://fas01.dev.fedoraproject.org/accounts/openid/yadis/<user>
http://fas01.dev.fedoraproject.org/accounts/openid/id/<user>
both
https://admin.stg.fedoraproject.org/accounts/openid/yadis/
http://fas01.dev.fedoraproject.org/accounts/openid/yadis/
Do not work, we suspect pypi doesn't allow discovery.
Since it seems we are not breaking current behavior, I will push this to
upstream and to production.
Pierre
More information about the infrastructure
mailing list