Ability to provide whitelist of OpenIDs

[ross.fenning@…]

When using HTTP authentication, it was perfectly possible to manage the htpasswd file in Apache as I wished and only allow logins to specific people. I've not enabled OpenID and disabled the original login mechanism and, as far as I can see, this has now opened up my Trac to anyone with an OpenID.

Is there a way to allow only a given list of OpenIDs? I've looked around for a good hour and couldn't quite find it if it can be done. If it cannot be done, I'd like to request this as a feature.

[Dalius]

At the moment it can't be done. I can't promise to implement that soon because I have more important things to do. Feel free to implement that yourself - that's what open source is about after all.

[ross.fenning@…]

Absolutely :-)

Any hints on parts of the code relevant before I dive in? I am thankfully fairly proficient in Python.

[Dalius]

That shouldn't be very hard if whitelist is very short:

1. Look how to use Options. I guess you could create Option white_list with comma separated list of openids. More advanced option could use wildcards or regexps.

2. Check file authopenid.py (​http://hg.sandbox.lt/authopenid-plugin/file/0570350f5955/authopenid/authopenid.py). The actual log in happends in function _do_process in if case "info.status == consumer.SUCCESS:".

HTH :)

[michela]

A whitelist feature would be great. I'd like to restrict authentications to a managed list but allow my private community to use OpenID as a single sign-on system.

Is there any scope for a more scalable approach where you could query a REST api for whitelist and/or blacklist?

.M.

michela around modfilms.com

[Dalius]

white_list and black_list options added to openid section. Please look at example how to use these: ​http://trac-hacks.org/wiki/AuthOpenIdPlugin

I will contact michela for his/her specific case. Since I'm not aware about any standard defining [OpenId] whitelisting/blacklisting. New ticket will be created for that specific case.

[michela]

Hi dalius, thanks for implementing the whitelist feature I suggested. Any thoughts on below?

The functionality as described in config is what I was after but I'm getting an error with this traceback

Traceback (most recent call last):

  File "/usr/lib/python2.4/site-packages/Trac-0.11.1-py2.4.egg/trac/web/main.py", line 423, in _dispatch_request

    dispatcher.dispatch(req)

  File "/usr/lib/python2.4/site-packages/Trac-0.11.1-py2.4.egg/trac/web/main.py", line 197, in dispatch

    resp = chosen_handler.process_request(req)

  File "build/bdist.linux-i686/egg/authopenid/authopenid.py", line 221, in process_request

  File "build/bdist.linux-i686/egg/authopenid/authopenid.py", line 432, in _do_process

  File "build/bdist.linux-i686/egg/simplejson/__init__.py", line 275, in load

  File "build/bdist.linux-i686/egg/simplejson/__init__.py", line 315, in loads

  File "build/bdist.linux-i686/egg/simplejson/decoder.py", line 315, in decode

  File "build/bdist.linux-i686/egg/simplejson/decoder.py", line 333, in raw_decode

ValueError: No JSON object could be decoded

I've set up a test whitelist service as above and tested against JSONLint so I think my output is valid - ​http://www.jsonlint.com/

TRUE ​http://trac.modfilms.com:7861/openidallow/check_list?check_list_key=michela.myopenid.com

FALSE ​http://chief/openidallow/check_list?check_list_key=notwhitelisted.myopenid.com

If you want to use my service for your testing, just email me your openid and I'll whitelist it

Cheers

.M.

[michela]

my trac.ini config for reference

[openid]absolute_trust_root = falsesignup = https://www.myopenid.com/signup?affiliate_id=18260&openid.sreg.optional=email,nickname
sreg_required = false
strip_protocol = false
strip_trailing_slash = false
timeout = false
whatis = http://openid.net/what/
# In addition to white and black lists you can use external service
# for allowing users into trac. To control that you must use check_list
# and check_list_key option. It will generate URL:
# check_list?check_list_key=openid
# It expects JSON result in following format:
# {"check_list_key": true}
# IMPORTANT: this functionality uses simplejson which might not be available on your system by default. Install it if you want to use this functionality.
# IMPORTANT: strip_protocol and strip_trailing_slash affects what openid will be send to service
check_list = http://trac.modfilms.com:7861/openidallow
check_list_key = check_list

[Dalius]

That's configuration issue. Should be:

check_list=​http://trac.modfilms.com:7861/openidallow/check_list check_list_key=check_list_key

You can see debug messages before this error as well: 1:57:29 PM Trac[authopenid] DEBUG: OpenID check list URL: ​http://trac.modfilms.com:7861/openidallow/check_list?check_list_key=blog.sandbox.lt

In your case you should see incorrect URL string.

[michela]

Replying to dalius:

That's configuration issue. Should be:

check_list=​http://trac.modfilms.com:7861/openidallow/check_list check_list_key=check_list_key

You can see debug messages before this error as well: 1:57:29 PM Trac[authopenid] DEBUG: OpenID check list URL: ​http://trac.modfilms.com:7861/openidallow/check_list?check_list_key=blog.sandbox.lt

In your case you should see incorrect URL string.

Thanks dalius. That's great.

The whitelist needs to support a few variations of the url (optional protocol and/or trailing slash)

[Dalius]

Michela, I don't really understand. If you are speaking about strip_protocol and strip_trailing_slash options I think that should be handled by whitelist service side because otherwise we would need to make several requests from plugin side.