OpenID Connect authentication for Trac
Project description
Description
A plugin to support authentication to trac using OpenID Connect.
This plugin is being written in a fire-drill mode since google has discontinued support for OpenID authentication and our trac is currently using TracAuthOpenId for authentication via google.
Currently this probably only works with google as the authentication provider.
Development takes place at http://github.com/dairiki/trac-oidc/.
This plugin is tested with trac versions 0.11, 0.12 and 1.0.
Usage
Obtain OAuth 2.0 Credentials
You must obtain OAuth 2.0 credentials from google before you can use this plugin.
Go to the Google Developers Console.
Select a project, or create a new one.
In the sidebar on the left, expand APIs & auth. Next, click APIs. Select the Enabled APIs link in the API section to see a list of all your enabled APIs.
Optional, but recommended: Make sure that the Google+ API is on the list of enabled APIs. If you have not enabled it, select the API from the list of APIs, then select the Enable API button for the API. (The Google+ API is used to retrieve the user’s real name on initial sign in.)
In the sidebar on the left, select Credentials.
If you haven’t done so already, create your project’s OAuth 2.0 credentials by clicking Create new Client ID, and providing the information needed to create the credentials.
The redirect URI used by this plugin is the base url for your trac followed by /trac_oidc/redirect. I.e. if the top of your trac is at http://example.org/mytrac, then the redirect URI will be http://example.org/mytrac/trac_oidc/redirect. If your trac is available under multiple hostnames, or under both http: and https: schemes, then you may need to configure multiple redirect URIs.
When all looks copacetic, click the Download JSON button (on the Credentials page) to download a JSON file containing the required client secrets. Save this file to somewhere where trac can read it. By default, the plugin looks for this file under the name client_secret.json in the conf subdirectory of the trac environment, however this can be configured. (Since the file contains sensitive information, consider setting the file permissions so that not just anybody can read it.)
Install the Plugin
The plugin is available from PyPI, so it may be installed, e.g., using pip:
pip install trac-oidc
Configuration
In your trac.ini:
[components] # You must enable the trac_oidc plugin trac_oidc.* = enabled # Optional: You probably want to disable the stock login module trac.web.auth.loginmodule = disabled [trac_oidc] # Optional: Specify the path to the client secrets JSON file. # The default is ``client_secret.json``. Relative paths are # interpreted relative to the ``conf`` subdirectory of the trac # environment (i.e. alongside ``trac.ini``.) client_secret_file = /path/to/client_secret.json [openid] # Optional: This only matters if you would like to migrate # users created by the TracAuthOpenId_ plugin to this one. # In that case, the OpenID realm must be set to the same value # that was used by TracAuthOpenId (where it is called the *trust root*) # for the identity URLs to be comparable. # # If this is set, then the OpenID realm will include just the hostname, # otherwise the realm will include the full base path of the trac. # E.g. if you trac is is ``http://example.org:8080/mytrac``, then the realm # will be ``http://example.org:8080/`` if ``absolute_trust_root`` is set # and ``http://example.org:8080/mytrac`` if ``absolute_trust_root`` is # not set. # # The default is ``true``. # absolute_trust_root = false
Migration from TracAuthOpenID
If you used only google as the authentication provider with TracAuthOpenId, then you should be able to disable TracAuthOpenId, configure and enable trac-oidc, and things should just work — users should keep their sessions (i.e. they will retain their settings and permissions.)
If you were using multiple authentication providers with TracAuthOpenId, it should be possible to run both TracAuthOpenId (with google disabled), and trac-oidc together. I have not tried this, however, and some tuning will probably be required.
To Do
Possible improvements.
Generalize to work with more providers
This could be generalized to work with other OpenID Connect providers, as well as other OAuth2-based (but non OpenID Connect) providers (e.g. Facebook, Twitter).
Maybe using oic (rather than oauth2client) would make this easier. (Oic is rather sparsely documented, however.)
Use preferred_username claim, when available, to determine the default authname for new accounts.
Integrate with AccountManagerPlugin
I’m not sure exactly what’s involved, but it would be nice if the AccountManagerPlugin could be used to administer associations between OIDC subject identifiers and authenticated sessions, etc.
History
0.1.3 (2015-06-23)
Behavioral Changes
In the “logged in as %(user)s” message (in the metanav menu), user is now always set to the session id or authname of the logged-in user. Previously the real name of the user was shown instead, when it was available. This now matches the behavior of the stock LoginModule component.
Bugs Fixed
The Logout link should now work again. It was broken for trac >= 1.0.2.
Large Refactor
Lots of code cleanup, including splitting of logic into several components/classes, include:
AuthCookieManager: for managing the trac authentication cookie
UserDatabase: for mapping between OpenID identities and trac authnames.
SessionHelper: for searching and managing authenticated sessions
Authenticator: for handling the OpenID Connect flow
0.1.2 (2015-06-20)
Features
The plugin should now work with trac 0.11.
Bugs Fixed
[trac > 1.0.2] Fixed Logout link so that it works under trac > 1.0.2. Recent tracs use a logout form rather than a link (for CSRF protection.)
Testing
Added a functional test. Run tests with trac version 0.11, 0.12 and latest (1.0).
Refactor
Renamed trac_oidc.plugin module to trac_oidc.trac_oidc. Trac’s default log format string includes "[%(module)s]" — [trac_oidc] is much more informative than [plugin].
0.1.1 (2015-06-18)
Initial release. There is no 0.1 (I botched the upload to PyPI).
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file trac-oidc-0.1.3.tar.gz.
File metadata
- Download URL: trac-oidc-0.1.3.tar.gz
- Upload date:
- Size: 13.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e58ff00896a9cc847ef609edd12842102a2d35ddf1a0dc0e4b75ef79b5c96b32
|
|
| MD5 |
90625b070b6b954744466ca7148eb459
|
|
| BLAKE2b-256 |
9f864e029e097546e0720025fa02dd6b120e30f0573d55f11af00fd0ecb640ce
|
File details
Details for the file trac_oidc-0.1.3-py2-none-any.whl.
File metadata
- Download URL: trac_oidc-0.1.3-py2-none-any.whl
- Upload date:
- Size: 18.2 kB
- Tags: Python 2
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0ac027a7bfdfb17aae55807e6c90b4634abaab9a3fbd22804b2331ceb1090248
|
|
| MD5 |
9507fd4455b836da2eb67338f8d333de
|
|
| BLAKE2b-256 |
1a187e8837b808881e1cc5e828e58a5464572c3b49e5ed329eb6f992c585a185
|
