1 |
Hello, all. |
2 |
|
3 |
As announced earlier, my project for this year of GSoC is the deployment |
4 |
of an OpenID provider on identity.gentoo.org [1]. As stated |
5 |
in the earlier mail, the main goal is to provide easy-to-use OpenID |
6 |
identities for all Gentoo developers and at the same time make most |
7 |
of Gentoo services OpenID-aware. |
8 |
|
9 |
For those interested in the current development, you can check out |
10 |
the source code on the github repo [2] and take a look |
11 |
at the intermediate status/TODO wiki page [3]. |
12 |
|
13 |
Pavlos Ratis (dastergon) is doing an another project for |
14 |
identity.gentoo.org, with his goal being to provide a webui for |
15 |
accessing and modifying the LDAP records. |
16 |
|
17 |
|
18 |
Week #1 |
19 |
======= |
20 |
|
21 |
Status: on schedule |
22 |
|
23 |
|
24 |
Tasks done: |
25 |
|
26 |
- Some working initial OpenID code has been written and integrated with |
27 |
the webapp. The webapp supports authenticating user over LDAP, asking |
28 |
for permission to submit the identity to the site and submitting |
29 |
a proper identity. |
30 |
|
31 |
- A django database backend has been written for python-openid library |
32 |
that utilizes the django ORM to store the OpenID server state data. |
33 |
|
34 |
|
35 |
Known problems: |
36 |
|
37 |
- The code lacks proper error responses. However, it's unclear from |
38 |
the spec how to properly determine the type of request, especially if |
39 |
it's erroneous, and therefore choose a proper response form. I've |
40 |
opened a question on stackoverflow [4] as it was suggested |
41 |
on the OpenID IRC channel but since I didn't get any answer yet I'm |
42 |
going to try the mailing list. |
43 |
|
44 |
- LDAP connection errors are not reported properly, and end up being |
45 |
reported as 'invalid username or password'. This was already reported |
46 |
upstream by Theo [5] but we're still waiting for a solution. |
47 |
|
48 |
- The coding has been done on a separate sub-app which means that |
49 |
the login URIs in global settings need to be changed for proper OpenID |
50 |
support. This will also make merging the changes a bit harder. |
51 |
|
52 |
- The code raises an exception whenever a different user is being |
53 |
logged in than the one requested by OpenID. This is an assertion done |
54 |
in python-openid, the library used for OpenID support, and I have |
55 |
submitted a pull request allowing different ID to be used [6]. |
56 |
However, it's unclear if it's the proper thing to do, therefore I'm |
57 |
waiting for upstream to answer it. |
58 |
|
59 |
|
60 |
Plans for the upcoming week: |
61 |
|
62 |
- Pull in Pavlos' changes to the webapp UI. Merge my common view |
63 |
changes into his new UI. |
64 |
|
65 |
- Work on integrating the code into the core i.g.o app and cleaning it |
66 |
up. |
67 |
|
68 |
- Implement the proper (or at least semi-proper) error responses. |
69 |
|
70 |
- Support storing 'always permit this site' preference in the db |
71 |
and overriding that preference on login. |
72 |
|
73 |
|
74 |
[1]:http://article.gmane.org/gmane.linux.gentoo.summer-of-code/1337 |
75 |
[2]:https://github.com/mgorny/identity.gentoo.org |
76 |
[3]:https://github.com/gentoo/identity.gentoo.org/wiki/TODO_mgorny |
77 |
[4]:http://stackoverflow.com/questions/17217502/how-to-distinguish-server-side-direct-request-from-an-indirect-request-in-open |
78 |
[5]:https://groups.google.com/forum/#!topic/django-auth-ldap/utS-Yq_LKPc |
79 |
[6]:https://github.com/openid/python-openid/pull/61 |
80 |
|
81 |
-- |
82 |
Best regards, |
83 |
Michał Górny |