| 1 |
Hello, all. |
| 2 |
|
| 3 |
As announced earlier, my project for this year of GSoC is the deployment |
| 4 |
of an OpenID provider on identity.gentoo.org [1]. As stated |
| 5 |
in the earlier mail, the main goal is to provide easy-to-use OpenID |
| 6 |
identities for all Gentoo developers and at the same time make most |
| 7 |
of Gentoo services OpenID-aware. |
| 8 |
|
| 9 |
For those interested in the current development, you can check out |
| 10 |
the source code on the github repo [2] and take a look |
| 11 |
at the intermediate status/TODO wiki page [3]. |
| 12 |
|
| 13 |
Pavlos Ratis (dastergon) is doing an another project for |
| 14 |
identity.gentoo.org, with his goal being to provide a webui for |
| 15 |
accessing and modifying the LDAP records. |
| 16 |
|
| 17 |
|
| 18 |
Week #1 |
| 19 |
======= |
| 20 |
|
| 21 |
Status: on schedule |
| 22 |
|
| 23 |
|
| 24 |
Tasks done: |
| 25 |
|
| 26 |
- Some working initial OpenID code has been written and integrated with |
| 27 |
the webapp. The webapp supports authenticating user over LDAP, asking |
| 28 |
for permission to submit the identity to the site and submitting |
| 29 |
a proper identity. |
| 30 |
|
| 31 |
- A django database backend has been written for python-openid library |
| 32 |
that utilizes the django ORM to store the OpenID server state data. |
| 33 |
|
| 34 |
|
| 35 |
Known problems: |
| 36 |
|
| 37 |
- The code lacks proper error responses. However, it's unclear from |
| 38 |
the spec how to properly determine the type of request, especially if |
| 39 |
it's erroneous, and therefore choose a proper response form. I've |
| 40 |
opened a question on stackoverflow [4] as it was suggested |
| 41 |
on the OpenID IRC channel but since I didn't get any answer yet I'm |
| 42 |
going to try the mailing list. |
| 43 |
|
| 44 |
- LDAP connection errors are not reported properly, and end up being |
| 45 |
reported as 'invalid username or password'. This was already reported |
| 46 |
upstream by Theo [5] but we're still waiting for a solution. |
| 47 |
|
| 48 |
- The coding has been done on a separate sub-app which means that |
| 49 |
the login URIs in global settings need to be changed for proper OpenID |
| 50 |
support. This will also make merging the changes a bit harder. |
| 51 |
|
| 52 |
- The code raises an exception whenever a different user is being |
| 53 |
logged in than the one requested by OpenID. This is an assertion done |
| 54 |
in python-openid, the library used for OpenID support, and I have |
| 55 |
submitted a pull request allowing different ID to be used [6]. |
| 56 |
However, it's unclear if it's the proper thing to do, therefore I'm |
| 57 |
waiting for upstream to answer it. |
| 58 |
|
| 59 |
|
| 60 |
Plans for the upcoming week: |
| 61 |
|
| 62 |
- Pull in Pavlos' changes to the webapp UI. Merge my common view |
| 63 |
changes into his new UI. |
| 64 |
|
| 65 |
- Work on integrating the code into the core i.g.o app and cleaning it |
| 66 |
up. |
| 67 |
|
| 68 |
- Implement the proper (or at least semi-proper) error responses. |
| 69 |
|
| 70 |
- Support storing 'always permit this site' preference in the db |
| 71 |
and overriding that preference on login. |
| 72 |
|
| 73 |
|
| 74 |
[1]:http://article.gmane.org/gmane.linux.gentoo.summer-of-code/1337 |
| 75 |
[2]:https://github.com/mgorny/identity.gentoo.org |
| 76 |
[3]:https://github.com/gentoo/identity.gentoo.org/wiki/TODO_mgorny |
| 77 |
[4]:http://stackoverflow.com/questions/17217502/how-to-distinguish-server-side-direct-request-from-an-indirect-request-in-open |
| 78 |
[5]:https://groups.google.com/forum/#!topic/django-auth-ldap/utS-Yq_LKPc |
| 79 |
[6]:https://github.com/openid/python-openid/pull/61 |
| 80 |
|
| 81 |
-- |
| 82 |
Best regards, |
| 83 |
Michał Górny |
Archives