On Sat, 2012-10-20 at 23:27 +0200, Pierre-Yves Chibon wrote:
Hi,
So tonight I have been working on making working the jenkins OpenID
plugin [1].
This was a little more challenging than anticipated as the plugin ask
for the url of the OpenID provider. In our case we want to point to FAS.
The 'problem' is that we ask for a username in the OpenID url, while the
plugin does not allow this.
So I came up with the attached patch which does two things:
- Allow to contact /accounts/openid/yavis/ directly (w/o running into an
error 500) which allows OpenID discovery by the client.
- Allow to authenticate even if the url asked does not contain the
username (which the case when coming from jenkins).
I'm sending this patch for review, to me approach sounds fine, but I am
wondering if the second change here is reducing the security or not.
For comparison, google seems to allow url not containing the username,
just let the user log-in in if he is not already.
So for the record, we have applied the changes in stg.
I tested on ask:
stg doesn't work maybe because of ssl
but testing from dev01:
works:
http://fas01.dev.fedoraproject.org/accounts/openid/yadis/
http://fas01.dev.fedoraproject.org/accounts/openid/yadis/<user>
http://fas01.dev.fedoraproject.org/accounts/openid/id/<user>
On pypi:
works:
https://admin.stg.fedoraproject.org/accounts/openid/yadis/<user>
https://fas01.dev.fedoraproject.org/accounts/openid/id/<user>
http://fas01.dev.fedoraproject.org/accounts/openid/yadis/<user>
http://fas01.dev.fedoraproject.org/accounts/openid/id/<user>
both
https://admin.stg.fedoraproject.org/accounts/openid/yadis/
http://fas01.dev.fedoraproject.org/accounts/openid/yadis/
Do not work, we suspect pypi doesn't allow discovery.
Since it seems we are not breaking current behavior, I will push this to
upstream and to production.
Pierre