Authentication to FAS¶
The Fedora Account System has a JSON interface that we make use
of to authenticate users in our web apps. Currently, there are two modes of
operation. Some web apps have single sign-on capability with
Fedora Account System. These are the TurboGears applications that use the
jsonfasprovider
. Other apps do not have
single sign-on but they do connect to Fedora Account System to verify the
username and password so changing the password in Fedora Account System changes it
everywhere.
TurboGears Identity Provider 2¶
An identity provider with CSRF protection.
This will install as a TurboGears identity plugin. To use it, set the
following in your APPNAME/config/app.cfg
file:
identity.provider='jsonfas2'
visit.manager='jsonfas2'
See also
CSRF-Protection
Turbogears Identity Provider 1¶
These methods are deprecated because they do not provide the CSRF protection of TurboGears Identity Provider 2. Please use that identity provider instead.
Django Authentication Backend¶
Flask Auth Plugin¶
Flask FAS OpenId Auth Plugin¶
The flask_openid provider is an alternative to the flask_fas auth plugin. It leverages our FAS-OpenID server to do authn and authz (group memberships). Note that not every feature is available with a generic OpenID provider – the plugin depends on the OpenID provider having certain extensions in order to provide more than basic OpenID auth.
Any compliant OpenID server should allow you to use the basic authn features of OpenID OpenID authentication core: http://openid.net/specs/openid-authentication-2_0.html
Retrieving simple information about the user such as username, human name, email is done with sreg: http://openid.net/specs/openid-simple-registration-extension-1_0.html which is an extension supported by many providers.
Advanced security features such as requiring a user to re-login to the OpenID provider or specifying that the user login with a hardware token requires the PAPE extension: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html
To get groups information, the provider must implement the https://dev.launchpad.net/OpenIDTeams extension.
We have extended the teams extension so you can request a team name of
_FAS_ALL_GROUPS_
to retrieve all the groups that a user belongs to. Without this addition to the teams extension you will need to manually configure which groups you are interested in knowing about. See the documentation for how to do so.
Retrieving information about whether a user has signed a CLA (For Fedora, this is the Fedora Project Contributor Agreement). http://fedoraproject.org/specs/open_id/cla
If the provider you use does not support one of these extensions, the plugin should still work but naturally, it will return empty values for the information that the extension would have provided.