OpenID Connect authentication for Trac
This plugin was written as a partial replacement for the TracAuthOpenId, since Google has (as of mid-June, 2015) discontinued support for authentication using OpenID 2.0. Google’s extension for mapping OpenID 2.0 identifiers to OpenID Connect identifiers is used, so sites which previously used TracAuthOpenId for authentication against Google should be able to switch to using trac-oidc without losing track of user’s settings and permissions.
This plugin is tested with trac versions 0.11, 0.12, 1.0, and 1.1.
You must obtain OAuth 2.0 credentials from Google before you can use this plugin.
pip install trac-oidc
In your trac.ini:
[components] # You must enable the trac_oidc plugin trac_oidc.* = enabled # Optional: You probably want to disable the stock login module trac.web.auth.loginmodule = disabled [trac_oidc] # Optional: Specify the path to the client secrets JSON file. # The default is ``client_secret.json``. Relative paths are # interpreted relative to the ``conf`` subdirectory of the trac # environment (i.e. alongside ``trac.ini``.) client_secret_file = /path/to/client_secret.json [openid] # Optional: This only matters if you would like to migrate # users created by the TracAuthOpenId_ plugin to this one. # In that case, the OpenID realm must be set to the same value # that was used by TracAuthOpenId (where it is called the *trust root*) # for the identity URLs to be comparable. # # If this is set, then the OpenID realm will include just the hostname, # otherwise the realm will include the full base path of the trac. # E.g. if you trac is is ``http://example.org:8080/mytrac``, then the realm # will be ``http://example.org:8080/`` if ``absolute_trust_root`` is set # and ``http://example.org:8080/mytrac`` if ``absolute_trust_root`` is # not set. # # The default is ``true``. # absolute_trust_root = false
If you used only Google as the authentication provider with TracAuthOpenId, then you should be able to disable TracAuthOpenId, configure and enable trac-oidc, and things should just work — users should keep their sessions (i.e. they will retain their settings and permissions.)
Make sure not to change the setting of absolute_trust_root from whatever you were using with TracAuthOpenId.
If you were using multiple authentication providers with TracAuthOpenId, it should be possible to run both TracAuthOpenId (with Google disabled), and trac-oidc together. I have not tried this, however, and some tuning will probably be required.
Though, currently, only authentication via Google’s OP is supported, it should be straightforward to generalize the plugin to work with other OpenID Connect providers, and other authentication services based on OAuth 2.0 (e.g. Twitter, Facebook.)
I’m not sure exactly what’s involved, but it would be nice if the AccountManagerPlugin could be used to administer associations between OIDC subject identifiers and authenticated sessions, etc.
Initial release. There is no 0.1 (I botched the upload to PyPI).
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|File Name & Checksum SHA256 Checksum Help||Version||File Type||Upload Date|
|trac_oidc-0.1.5-py2-none-any.whl (29.3 kB) Copy SHA256 Checksum SHA256||2.6||Wheel||Jul 16, 2015|
|trac-oidc-0.1.5.tar.gz (22.5 kB) Copy SHA256 Checksum SHA256||–||Source||Jul 16, 2015|