PAS Plugin for authentication with A-Select
- Moved to https://github.com/zestsoftware/pas.plugins.aselect [maurits]
- Made tests a bit less likely to fail when config defaults have changed (like in a monkey patch in a client package). [maurits]
- Moved to Plone collective. First public release. [maurits]
- Fixed tests after recent addition of the UPDATE_EXISTING_USERS config option (default: False). [maurits]
- Added locales for one translation. [maurits]
- On the @@aselect-login page, if no user has been created because he could belong to multiple groups, show options for the user to choose a group to join. [maurits]
- Added config option GROUP_ATTRIBUTE, with default ‘nlEduPersonHomeOrganizationId’ [maurits]
- Added two config options: MUST_HAVE_GROUP and MUST_HAVE_EXACTLY_ONE_GROUP, both by default True. Using these default settings, we refuse to create and authenticate a user when we cannot extract exactly one group from the credentials. [maurits]
- Added config option NOT_ACCEPTED_USERS and compare the given name of the credentials with this black list. We do not authenticate a blacklisted user. [maurits]
- Renamed the ALWAYS_UPDATE configuration option to the clearer UPDATE_AUTHENTICATED_USER. [maurits]
- Renamed the EXTRACT_ALWAYS configuration option to the clearer EXTRACT_ON_ALL_PATHS. [maurits]
- Change config.UPDATE_ALWAYS to True, so we always update the user properties and group settings, as we by default just react on the aselect-login page and testcookies page anyway. [maurits]
- When we do not know a last name, add the first part of the email to the fullname instead (if that is known). [maurits]
- Allow calling @@aselect-login?noredirect=1 to stay on the @@aselect-login page instead of being redirected to the Plone Site root. This should make it easier to inspect cookies. [maurits]
- Do not always extract and authenticate credentials, but only when on certain paths, like testcookies and aselect-login. [maurits]
- Added aselect-login page that simply redirects to the Plone Site root. Define this as a protected app in the (Apache) A-Select module and you should be good to go. [maurits]
- If the nlEduPersonHomeOrganizationId (presumably a BRIN code) matches a group id, we add the user to that group during authentication. [maurits]
- Only deal with the aselectattributes cookie, not any others. [maurits]
- First release, based on some old customer code. [maurits]
A-Select (Dutch only) in combination with the “licentiekantoor” (“license office”), is a full authentication/authorization solution. It can be compared a bit to openid: with the addition of authorization.
Basic premise: the already-available apache configuration handles the communication with aselect and ensures that the aselect cookies that we get are genuine. So the PAS plugin only has to deal with the cookie contents.
This plugin does extraction and authentication:
- Extract credentials from the aselectattributes cookie: the user id and member data, like fullname, email address, organization id (BRIN code).
- Authenticate credentials: create or update a member object based on the extracted credentials and authenticate this user.
- If the organization id matches the id of an existing group, we add this user to that group. Note that groups are never removed again.
So, our solution is to only extract aselect info on certain paths; by
default this done on the
@@aselect-login' path and the
`@@testcookies` path. Alternatively you may choose to never update
the aselect info for users that already have an
authentication cookie (__ac) from plone.session. A logout should be
enough to reset the plone.session cookie, which should trigger a
renewed automatic login plus getting the property updates, because the
A-Select cookie should still be available.
That is the default behaviour. In config.py you can change several settings (in a patch in an own package) if you do not like the defaults and are aware of the effects on performance and up-to-date-ness. Note that the config.py is reasonably well commented, so if you are a programmer you may want to have a look at that.
Alternatively, we might want to do something smart, like remembering the cookiestring somewhere and only trying an update if there is a change in that string.
Tested with Plone 3.3.5. Add pas.plugins.aselect to the eggs parameter of your instance section in buildout.cfg. Rerun buildout, start your instance, and install the plugin through ‘Add/Remove Products’ in the Site Setup. The only thing the install code does, is add the plugin to acl_users, activate it for the required plugin interfaces, and make sure it is the first plugin listed for those interfaces (the order might not be that important actually, see above). So if wanted, you could do that manually.
Note that in the README.txt within the pas/plugins/aselect directory, there is an extensive doctest. It probably works better as test than as documentation, so it is not included on the PyPI page.