TracAuthOpenId 0.4.3

OpenID plugin for Trac

OpenID Authentication Plugin

Description

This plugin allows to login to Trac using OpenID. I use it with Trac 0.12. It was developed under Trac 0.11, so it should work there too. Version 0.4 of this plugin runs under trac 1.0 (formerly 0.13), but this configuration has not yet been extensively tested or used in production.

Download & Source

The source repository is on github. You may submit bug reports and pull requests there.

There are several ways to install this plugin.

1. You can install directly from PyPI using easy_install or pip:

   easy_install TracAuthOpenId

   or:

   pip install TracAuthOpenId

2. There is a Debian package for this plugin:

   sudo aptitude install trac-authopenid

3. Patrick Uiterwijk has packaged this plugin for Fedora:

   yum install trac-authopenid-plugin

   Should you have questions regarding the Fedora packaging, please file them in the Fedora bug tracker.

4. You can clone git repository somewhere in your system:

   cd /your/3rdparty/src
   git clone git://github.com/dairiki/authopenid-plugin.git

   Then you should do following steps:

   cd authopenid-plugin
   python setup.py install

   Alternatively, if you use pip, you can install directly from the git repository:

   pip install git+git://github.com/dairiki/authopenid-plugin.git

For any of the above methods, if you want to do a system-wide installation, you will have to do this with root permissions (e.g. using su or sudo).

How to enable

[components]
trac.web.auth.* = disabled
authopenid.* = enabled

You don’t need to disable default authentication mechanism (trac.web.auth.*) if you are using it. OpenID plugin does not conflict with default authentication mechanism.

Options

This plugin has number of configuration options. Examples are best way to illustrate them. (NB: some of this is out of date and needs to be updated):

[trac]
# Check user IP address. IP addresses are masked because
# in some cases user is behind internal proxy and last
# number in IP address might vary. Disable check_auth_ip
# if you are using IPv6. If you still want to have IPv6
# support please contact me.
check_auth_ip = true
check_auth_ip_mask = 255.255.255.0
# number of seconds until cookie will expire
auth_cookie_lifetime = 86400

[openid]

# In some cases company might have internal OpenID server that
# automatically identifies user (e.g. windows SSPI). Also known as
# single sign-on.  default_openid = http://openid.ee Require sreg
# data
sreg_required = false

# If you want username to be written as
# "username_in_remote_system <openid_url>" use:
#combined_username = true

# Default PAPE method to request from OpenID provider.
# pape_method =

# What is OpenID link.
whatis = http://openid.net/what/
# Sign-up link
signup = http://openid.net/get
# Gmail login button (default: true)
# gmail = false
# In some cases you might want allow users to login to different
# projects using different OpenIDs. In that case don't use
# absolute trust root.
absolute_trust_root = false

# Remove http:// or https:// from URL that is used as
# username. (Default: false)
strip_protocol = false

# Remove trailing slash from URL that is user as username (Defaul: false)
strip_trailing_slash = false

# Expiration time acts as timeout. E.g. if expiration time is 24
# hour and you login again in those 24 hours. Expiration time is
# extended for another 24 hours. (Default: false)
timeout = false

# White and black lists.
# E.g.: Allows all the people from Lithuania, Latvia or Estonia
# except delfi domain.
# IMPORTANT: strip_protocol and strip_trailing_slash affects what
# openid will be given to white_list or black_list
#white_list = *.lt, *.lv, *.ee
#black_list = *.delfi.lt,*.delfi.lv,*.delfi.ee

# In addition to white and black lists you can use external
# service for allowing users into trac. To control that you must
# use check_list and check_list_key option. It will generate URL:
#
#     check_list?check_list_key=openid&email=email
#
# email will be attached only if available.
#
# It expects JSON result in following format:
#
#     {"check_list_key": true}
#
# IMPORTANT: strip_protocol and strip_trailing_slash affects what
# openid will be send to service
# NOTE: You can specify check_list_username as well. In that case
# JSON service should return new username as
# well. E.g. check_list_username=username. Expected result from
# JSON service is:
#
#     {"check_list_key": true, "username": "Peter"}
#
# You can use this option to map your OpenIDs to internal username.
#check_list = http://your.site.com/openidallow
#check_list_key = check_list
#check_list_username=
#
# You can add one custom openid provider:
#custom_provider_name = test
#custom_provider_label = Enter openidprovider username:
#custom_provider_url = http://openidprovider/{username}
#custom_provider_image = http://openidprovider/favicon.png

Authors

This plugin was written by Dalius Dobravolskas. It is currently being maintained by Jeff Dairiki. Other contributors include: Patrick Uiterwijk.

Changes

Version 0.4.3 (2013-05-22)

Bug Fixes

• Fix so that check_list_username actually works. Now one can actually use the check_list web API to implement custom identity to username mapping.

• Fall back to using the identifier URL as the authname (rather than throwing an exception) if the OpenID provider did not return a full name (or nickname).

Packaging

• README.rst: Patrick Uiterwijk has packaged this plugin for Fedora

Version 0.4.2 (2013-03-24)

New Features

These features were contributed by Patrick Uiterwijk.

• New config option use_nickname_as_authname. If set, the OpenID nickname will be used for the authname (or trac username).

• New config option trust_authname. If set, trust the OpenID-derived authname to be unique. Security warning: do not set this unless you know what you are doing.

Version 0.4.1 (2012-06-25)

This is a brown bag release. Release 0.4 was unusable.

Bug Fixes

• Packaging: A number of crucial files were omitted from the manifest.

Version 0.4 (2012-06-25)

Configuration Changes

• The default for [trac] check_auth_ip is now False. This has security implications. If you want authorization to be tied to the clients IP address you must now explicitly set this option to True.

  Prior to this change, if check_auth_ip was not explicitly set, we ignored the global trac default (False) for the setting and behaved as if it were set to True.

  This change is being made for the sake of backwards compatibility with trac 0.11 whose Configuration.has_option method does not support the optional defaults argument added in 0.12. Without that there seems to be no clean way to determine whether a setting is explicitly set in the .ini file.

New Features

• We will now use the json package if your python version includes it (python >= 2.6). For older pythons, the simplejson package is now required.

• A minor hack has been made which allows at least basic functionality under the development branch, trac-1.0 (formerly know as trac-0.13). Note that only very basic tests under trac-1.0 have not been performed. (The code in this plugin still does not adhere to the modern trac db API usage recommendations.)

Version 0.3.6 (2012-03-05)

New Maintainer

Jeff Dairiki has taken over maintenance of this plugin from the original author, Dalius Dobravolskas (who no longer uses trac.)

The source repository for the plugin has moved to https://github.com/dairiki/authopenid-plugin.

New Features

• Respect the [trac] auth_cookie_lifetime config value when setting cookie expiration times.

Deprecations

• Using the [trac] expires setting to specify the auth cookie lifetime is deprecated. Use [trac] auth_cookie_lifetime instead. (The expires setting does not seem to exist in trac 0.12 or 0.11.)

Bug Fixes

• Don’t override the default value for the [trac] check_auth_ip configuration setting. Trac declares this to have a default value of false; we were overriding that default to true.

Version 0.3.5 (2011-10-04)

New Features

• Now AX (as well as SREG) are attempted to get the user’s name. This is tested with Google (which does not support SREG).

• The new config setting [openid] lowercase_authname specifies whether to force authnames to lowercase. For backwards compatibility, the default for this option is true (see below). In general, however, I think it makes more sense to set this option to false.

Bug Fixes

• Authnames were being lower-cased when recovering them from the cookie, but not when generating them initially. This resulted — unless the user’s name was all lower case to start with — in two sessions being created upon initial login, one of which was ignored thereafter.

• Always uniquify authnames. When they are lowercased, there’s always a chance of collision, even when they include the identity URL.