Re: [Zope-dev] Single Sign On
Previously Shane Hathaway wrote: Alternatively, I have wondered if we actually need full-blown SSO; perhaps a carefully constructed domain-wide cookie would do the trick. Any experiences with that? auth_tkt based cookies sounds like a good option, possibly combined with something like SQL or LDAP for shared member properties. It has the advantage of being very widely supported as well as bwing very simple. CAS appears to be a common SSO system used for Plone sites and should work as well. Wichert. -- Wichert Akkerman wich...@wiggy.netIt is simple to make things. http://www.wiggy.net/ It is hard to make things simple. ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope Tests: 7 OK, 1 Failed
Summary of messages to the zope-tests list. Period Tue Feb 17 12:00:00 2009 UTC to Wed Feb 18 12:00:00 2009 UTC. There were 8 messages: 8 from Zope Tests. Test failures - Subject: FAILED (failures=1) : Zope-trunk-alltests Python-2.5.4 : Linux From: Zope Tests Date: Tue Feb 17 20:57:52 EST 2009 URL: http://mail.zope.org/pipermail/zope-tests/2009-February/011136.html Tests passed OK --- Subject: OK : Zope-2.8 Python-2.3.7 : Linux From: Zope Tests Date: Tue Feb 17 20:43:34 EST 2009 URL: http://mail.zope.org/pipermail/zope-tests/2009-February/011129.html Subject: OK : Zope-2.9 Python-2.4.6 : Linux From: Zope Tests Date: Tue Feb 17 20:45:45 EST 2009 URL: http://mail.zope.org/pipermail/zope-tests/2009-February/011130.html Subject: OK : Zope-2.10 Python-2.4.6 : Linux From: Zope Tests Date: Tue Feb 17 20:47:45 EST 2009 URL: http://mail.zope.org/pipermail/zope-tests/2009-February/011131.html Subject: OK : Zope-2.11 Python-2.4.6 : Linux From: Zope Tests Date: Tue Feb 17 20:49:51 EST 2009 URL: http://mail.zope.org/pipermail/zope-tests/2009-February/011132.html Subject: OK : Zope-trunk Python-2.4.6 : Linux From: Zope Tests Date: Tue Feb 17 20:51:51 EST 2009 URL: http://mail.zope.org/pipermail/zope-tests/2009-February/011133.html Subject: OK : Zope-trunk Python-2.5.4 : Linux From: Zope Tests Date: Tue Feb 17 20:53:52 EST 2009 URL: http://mail.zope.org/pipermail/zope-tests/2009-February/011134.html Subject: OK : Zope-trunk-alltests Python-2.4.6 : Linux From: Zope Tests Date: Tue Feb 17 20:55:52 EST 2009 URL: http://mail.zope.org/pipermail/zope-tests/2009-February/011135.html ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Single Sign On
On Feb 17, 2009, at 7:55 PM, Shane Hathaway wrote: Gary Poster wrote: Launchpad uses OpenID. We don't have that slated for abstraction and open-sourcing immediately. However, most of the Launchpad code (including this bit) is to be open-sourced by this summer, abstracted or not. Therefore, we should at least be able to give you some idea of what we have done before then. I've forwarded your email to the primary implementer/designer of our OpenID integration. Hopefully he can directly participate, or at least give me some answers to forward to you. Cool, thanks. Generally, we're using python-openid for the Zope code, and an Apache plugin as a front-end for hooking up other bits. In that case, what do you pass to Consumer.begin()? It expects a user URL and no password, yet launchpad.net accepts a user name and password. Shane Hi Shane. Francis Lacoste gave this answer: We use the OpenID 2.0 identifier select URL. This is a special OpenID url that basically means: identity using whatever ID you have on that server. The OpenID response will contain the actual OpenID identifier of the user at the end of the request. So sites that we integrate in our SSO simply sends you to Launchpad for authentication and then uses the returned identifier to link with their local account representation. We also use sreg (Simple Registration) to transfer information about the account to the integrated sites, so that they can update their local account representation with the central data. Gary ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Single Sign On
Gary Poster wrote: We use the OpenID 2.0 identifier select URL. This is a special OpenID url that basically means: identity using whatever ID you have on that server. The OpenID response will contain the actual OpenID identifier of the user at the end of the request. So sites that we integrate in our SSO simply sends you to Launchpad for authentication and then uses the returned identifier to link with their local account representation. We also use sreg (Simple Registration) to transfer information about the account to the integrated sites, so that they can update their local account representation with the central data. I see now! Thanks, Francis and Gary. Shane ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Single Sign On
Shane Hathaway schreef: * The SSO process should be very similar to an ordinary cookie-based login process. I don't want the user to have to enter their username on one form and their password on another, but that's the standard OpenID process. * This will be implemented in Zope 3. We are considering OpenID, Shibboleth, CAS, and any other mature system that others might suggest. Shibboleth seems like the most obvious fit, but it's nowhere near as popular as OpenID. I haven't yet looked at CAS in detail. Alternatively, I have wondered if we actually need full-blown SSO; perhaps a carefully constructed domain-wide cookie would do the trick. In the two cases where I've been involved in SSO, both times there was some apache module that could handle the actual SSO-part. The result from zope's viewpoint was either a special http header or a special cookie. Working from that header (special_user=username_you_want) or cookie with similar contents is easy with zope2/plone's PAS and thus also zope2's authentication system which is mostly similar. You can look at http://svn.plone.org/svn/collective/PASPlugins/apachepas/ for some copy/paste code. So: easiest way is to let some trusted apache plugin handle the hard part and then laugh all the way to the bank with some 100-line authentication plugin. Reinout -- Reinout van Rees http://reinout.vanrees.org/ ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Single Sign On
Reinout van Rees wrote: So: easiest way is to let some trusted apache plugin handle the hard part and then laugh all the way to the bank with some 100-line authentication plugin. That would usually work, but in this case, customers will be doing their own installation, so we need to keep the number of installation steps down. Shane ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Proposed Patch for zope.site
Today I ran into an exception masked by Zope 3. I found the code that was masking the exception and fixed it locally, but since this small bit of code has no docs or tests, I can't be sure I won't break stuff if I check in my change. What do y'all think I should do? Here is the patch: Index: src/zope/site/hooks.py === --- src/zope/site/hooks.py (revision 96718) +++ src/zope/site/hooks.py (working copy) @@ -91,10 +91,7 @@ def adapter_hook(interface, object, name='', default=None): -try: -return siteinfo.adapter_hook(interface, object, name, default) -except zope.component.interfaces.ComponentLookupError: -return default +return siteinfo.adapter_hook(interface, object, name, default) def setHooks(): Catching ComponentLookupError is a problem when an adapter factory looks up another adapter. If the first adapter lookup succeeds but the second fails with a ComponentLookupError, the current code makes it look like the first adapter is not registered at all. Very confusing. This patch exposes the correct traceback. I think my patch is correct because the 'default' parameter implies to me that if 'siteinfo.adapter_hook' can't find an adapter, it will return None, not raise ComponentLookupError. If 'siteinfo.adapter_hook' does in fact raise ComponentLookupError, then something else must be wrong and we should report the exception. BTW, until recently, this module lived in zope.app.component. It looks like this exception masking originated in Subversion revision 26391. Shane ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Single Sign On
On Wed, Feb 18, 2009 at 09:00:10AM -0500, Gary Poster wrote: On Feb 17, 2009, at 7:55 PM, Shane Hathaway wrote: Gary Poster wrote: Launchpad uses OpenID. We don't have that slated for abstraction and open-sourcing immediately. However, most of the Launchpad code (including this bit) is to be open-sourced by this summer, abstracted or not. Therefore, we should at least be able to give you some idea of what we have done before then. I've forwarded your email to the primary implementer/designer of our OpenID integration. Hopefully he can directly participate, or at least give me some answers to forward to you. Cool, thanks. Generally, we're using python-openid for the Zope code, and an Apache plugin as a front-end for hooking up other bits. In that case, what do you pass to Consumer.begin()? It expects a user URL and no password, yet launchpad.net accepts a user name and password. Shane Hi Shane. Francis Lacoste gave this answer: We use the OpenID 2.0 identifier select URL. This is a special OpenID url that basically means: identity using whatever ID you have on that server. The OpenID response will contain the actual OpenID identifier of the user at the end of the request. So sites that we integrate in our SSO simply sends you to Launchpad for authentication and then uses the returned identifier to link with their local account representation. We also use sreg (Simple Registration) to transfer information about the account to the integrated sites, so that they can update their local account representation with the central data. I have the impression that you're talking past each other. There are two ways of using OpenID: * you can be an OpenID provider, i.e. accept logins with username password and respond to authentication requests from other websites confirming that the user does own this particular OpenID. * you can be an OpenID consumer, i.e. accept OpenID URLs from users and ask the corresponding OpenID provider to validate them. It's my impression that launchpad.net is an OpenID provider only, while Shane is trying to figure out how to use the OpenID consumer API in AuthKit. I could be mistaken about any of the particular points here. Marius Gedminas -- http://pov.lt/ -- Zope 3 consulting and development signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Single Sign On
Marius Gedminas wrote: It's my impression that launchpad.net is an OpenID provider only, while Shane is trying to figure out how to use the OpenID consumer API in AuthKit. No. I am going after the more conventional single sign on use case where many consumers depend on only one centralized identity provider, and I'd like to use a restricted form of OpenID to accomplish it. It turns out that Launchpad's internal authentication system is pretty much exactly what I was planning to do, so Gary's info pointed me in the right direction. Launchpad also happens to provide public OpenID services, but I don't need to do that. Shane ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )