Hi Olemis, So I don't have much of any experience with writing authentication schemes using OpenID. I do, however, find it interesting so I poked around a little bit and I'll share with you some of my thoughts.
By default, I think that the authentication plugin authenticates with mapping internal user names. So it's a bit like 'if you have a google account then we'll use your google account'. However, if the name of your google account matches an internal user of your Trac environment, then are you that user or just a user that happens to have the same name? So I believe from what I read that you need to create a mapping of OpenID authentications (many, Google, Yahoo, some custom service, etc) to exactly one internal Trac user. See the reference here. [1] If you look at the Wiki for OpenID authentication plugin [2], he mentions the following: # You can use this option to map your OpenIDs to internal username.#check_list = http://your.site.com/openidallow#check_list_key = check_list#check_list_username= So he is probably referencing the ability stated. He does state that you will need to install simple json to use this ability. [3] The source [4] he uses to actually check the username is here (starting line 552): {{{ if allowed and self.check_list: params = {self.check_list_key: remote_user} if email: params['email'] = email url = self.check_list + '?' + urllib.urlencode(params) self.env.log.debug('OpenID check list URL: %s' % url) result = simplejson.load(urllib.urlopen(url)) if not result[self.check_list_key]: allowed = False elif self.check_list_username: new_user = result[self.check_list_username] if new_user: remote_user = new_user }}} I don't know if there is another way to do the username mapping without establishing a simpleJSON service (also something I don't have any experience with so I can't really comment on how hard that is). But it seems like this is the part where the OpenID name becomes a Trac user name. The part that does the name mangling in case the username is the same as an authenticated name appears to be on line 590 in [4]. {{{ # Make authname unique in case of collisions # # XXX: We ought to first look for an existing authenticated # ssession with matching identity_url, and just use that # for the authid. (E.g. what if the user changes his # fullname at the openid provider?) However, trac does # not seem to provide an API for searching sessions other # than by sid/authname. # def authnames(base): yield base for attempt in itertools.count(2): yield "%s (%d)" % (base, attempt) for authname in authnames(authname): ds = DetachedSession(self.env, authname) if ds.last_visit == 0 and len(ds) == 0: # At least in 0.12.2, this mean no session exists. break ds_identity = ds.get(self.openid_session_identity_url_key) if ds_identity == info.identity_url: # No collision break }}} Specifically the {{{ yield "%s (%d)" % (base, attempt) }}} on line 602 is what changes the name. Note that there isn't any configuration options surrounding this, so I don't think that there is a way to modify that behavior from the configuration file without changing the source. Note that I haven't installed the plugin, and don't have any experience with OpenId... however, some reply seemed better than no reply. If you want a sounding board feel free to reply. I don't have that much time to set up a 0.11 server and install the plugin and try different things, but I'd be happy to read and discuss it further if I have time. Hope any of this helped, or I'm sorry if it led you off the trail. [1] http://www.plaxo.com/api/openid_recipe [2] https://bitbucket.org/Dalius/authopenid-plugin/wiki/Home [3] http://pypi.python.org/pypi/simplejson/ [4] https://bitbucket.org/Dalius/authopenid-plugin/src/ebcf176ff6e3/authopenid/authopenid.py -Nelson On Fri, Dec 9, 2011 at 2:45 PM, Olemis Lang <[email protected]> wrote: > any ideas about the requests in message below ? > help will be appreciated . > Thnx in advance ! > > On Mon, Dec 5, 2011 at 10:59 AM, Olemis Lang <[email protected]> wrote: > > > > Hi! > > > > I've recently installed TracAuthOpenId 0.3.5 (hosted by Bitbucket) on my > site . > > > > What I'd like to achieve is to log in to Trac using one OpenId URL of > > the form http://olemis.server.tld/ and let user name be either > > olemis.server.tld or just olemis (preferently the later ;) . In fact a > > more generic sceneario would be to bind OpenId URLs of the form > > http://<usename>.server.tld/ to user names like <username>.server.tld > > or just <username> (once again later ) . SREG is configured to be > > required . > > > > Currently what happens is that I log in and my user name (as reported > > by TracDeveloper plugin in authname when template parameters are > > rendered ;) becomes "olemis lang (2)" (which is a name I don't like > > considering previous paragraph ;) . I suppose "olemis lang" should > > have been adopted previously by considering the name specified in > > OpenId persona (profile) I chose on login. The (2) part should be > > there (I guess ...) due to the fact that a user with the same name was > > already previously registered (if you need to know , that was me > > playing with gracie locally ... :) . > > > > Well ... no more fairy tales :P > > If anybody knows how should I configure this version of the plugin so > > as to deal with user names as mentioned in first paragraph above , > > suggestions will be welcome .[openId] config section in trac.ini is as > > follows : > > > > {{{ > > > > absolute_trust_root = false > > combined_username = false > > lowercase_authname = false > > sreg_required = true > > strip_protocol = true > > strip_trailing_slash = true > > > > }}} > > > > Help appreciated . Thnx in advance ! > > > > -- > > Regards, > > > > Olemis > > > > Facebook => http://www.facebook.com/olemis > > Twitter => http://www.twitter.com/olemislc (@olemislc) > > Blog ES => http://simelo-es.blogspot.com > > Blog EN => http://simelo-en.blogspot.com > > Quora => http://www.quora.com/olemis > > Youtube => http://youtube.com/user/greatsoftw > > > > Featured article : Datos de autor bajo resultados de búsqueda de Google > > > http://feedproxy.google.com/~r/simelo-news/~3/k1F5K6CX91s/datos-de-autor-bajo-resultados-de.html > > Get a signature like this. CLICK HERE. > > > > -- > Regards, > > Olemis > > Facebook => http://www.facebook.com/olemis > Twitter => http://www.twitter.com/olemislc (@olemislc) > Blog ES => http://simelo-es.blogspot.com > Blog EN => http://simelo-en.blogspot.com > Quora => http://www.quora.com/olemis > Youtube => http://youtube.com/user/greatsoftw > > Tweet: Personalizando imagenes mostradas al compartir páginas en > sitios sociales http://t.co/eHHq3w7v #Simelo #blog #fb > Follow @olemislc Reply Retweet 23:55 Dec-07 > Get this email app! > Get a signature like this. CLICK HERE. > > -- > You received this message because you are subscribed to the Google Groups > "Trac Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/trac-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
