Hi Jamie,
I would suggest extending authkit.permissions.RequestPermission and setting a
custom check method to verify the e-mail address returned. I tried this simple
test with a controller:
from authkit.authorize import NotAuthorizedError
from authkit.permissions import RequestPermission
from authkit.authorize.pylons_adaptors import authorize
class OpenIdAxPermission(RequestPermission):
def __init__(self):
# custum settings here...
self.authzEmail = 'someb...@somewhere'
def check(self, app, environ, start_response):
remoteUserData = environ.get('REMOTE_USER_DATA')
if remoteUserData:
# Cookie *MUST* be signed otherwise this is unsafe
remoteUserDataDict = eval(remoteUserData)
if (isinstance(remoteUserDataDict, dict) and
'ax' in remoteUserDataDict):
axDict = remoteUserDataDict['ax']
if axDict.get('value.email.1') != self.authzEmail:
raise NotAuthorizedError("Access denied ...")
return app(environ, start_response)
class HelloController(BaseController):
@authorize(OpenIdAxPermission())
def index(self):
# Return a rendered template
#return render('/hello.mako')
# or, return a response
return 'Hello World'
There should probably be some sort of OpenID AX permission class in AuthKit.
Note that your cookie absolutely MUST be signed otherwise the eval call could
be exploited with a malicious cookie. The way the AX data is handled could
definitely be improved perhaps by setting it in a beaker session instead. When
I’ve used it, I’ve immediaitely reset the cookie removing the AX content once
the OpenID Relying Party has set it from the Provider response.
Hope this helps!
Phil
From: Jamie Begin [mailto:[email protected]]
Sent: 18 January 2010 18:17
To: Kershaw, Philip (STFC,RAL,SSTD)
Subject: Re: AX support in AuthKit OpenID
Phil,
I greatly appreciate the reply (and your contribution to AuthKit). I got it
working yesterday (and posted my steps on the Pylons mailing list).
One thing that I'm still unsure of though is how to accomplish authorization.
Once a user authenticates (and I have his email address via your AX extension),
is there an easy way to use AuthKit to determine what his access level is? I
was kinda hoping for something as easy as this in the development.ini file:
authkit.openid.authenticate.user.data = [email protected]
[email protected]
Then I could just use the standard decorator in my controller:
@authorize(ValidAuthKitUser())
def whatever(self):
return "Yay!"
On Mon, Jan 18, 2010 at 4:34 AM, <[email protected]> wrote:
Hi Jamie,
You’re example looks correct. The only thing I have that is different is the
namespace and the addition of an alias:
authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
authkit.openid.ax.required.email:True
authkit.openid.ax.alias.email=email
Have you checked which namespace the OpenID Provider is using for the e-mail
attribute?
The alias is useful in that it specifies an explicit attribute name for the
e-mail value to be returned in so that you can reference it. Otherwise I think
from memory attribute names are assigned automatically at the provider with
some scheme like ext0, ext1 and so on.
Hope this helps,
Phil
From: Jamie Begin [mailto:[email protected]]
Sent: 16 January 2010 22:04
To: Kershaw, Philip (STFC,RAL,SSTD)
Subject: AX support in AuthKit OpenID
Hello --
Looking at the code, I noticed that you added AX support to AuthKit's OpenID
module. Would you happen to have an example of how to use it? I'm trying to
get a user's email address back with the OpenID response. Looking at your
code, I'm guessing that my development.ini file ought to look like this:
authkit.openid.ax.typeuri.email = http://axschema.org/contact/email
authkit.openid.ax.required.email = true
However, it's not working. I'd appreciate any help you could provide. Thank
you.
--
Scanned by iCritical.
--
Scanned by iCritical.
-- You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
