#4131 [RFE] Enable access tokens for a Trac-based service
Closed: Fixed None Opened 10 years ago by mkosek.

Hello, I have an internal web application (behind Red Hat firewall) implementing a service on top of Fedorahosted Trac XMLRPC API.

It needs some way to authenticate users to trac and store the access credentials in user's session allowing users to do different Trac API actions without typing user+password again.

However, currently it needs to store user+password in a plain text which is suboptimal. Is there a way to get any form of access cookie that the app could store in memory and use it to authorize to Trac? I tried using FasProxyClient, but no luck (script attached). I am open to all options, if this RFE would lead to the tool to be a OpenID Service provider and I would store a OAuth access token, I am ok with it. I just do not want to be forced to store users and passwords.


Disfunctional testing script
faslogin.py

At the moment, you will have to have access to user's username and password. We do not have any token infrastructure in place to grant limited access. We've talked about adding oauth support to fedora infrastructure as a whole but to live up to its potential, oauth needs to have support in each service individually and it does not appear that trac has that sort of support at the moment.

If you are looking to do something where you can take the user's username and password once per "session" you should be able to login to trac via openid and then store the cookie that trac uses to authenticate you on subsequent visits until the trac cookie times out.

pingou and I started work on porting a BaseClient-like client library to be able to do that. You can see the code here: http://toshio.fedorapeople.org/openidcli.py

The login() method is what you'd primarily be interested in. (Note that this code is still highly proof-of-concept. We're working on turing it from proof that this method can work into an API that people can use but we're not there yet.)

Thanks for a quick response. I checked the script and it is indeed quite hackish :) I could not make it working yet on my Python 2.7 which is also present in the tool's server, but I may be able to in future.

If that could be made into an API, ideally if I could get a trac authentication cookie through Fedora API or something similarly straightforward, it would be just great.

In maybe a little less hackish way, pkgdb2.py implements login against openid: https://github.com/fedora-infra/packagedb-cli/blob/pkgdb2/pkgdb2.py

Now that Ipsilon has OpenID Connect and OAuth2 support we can add this pretty soon.

As soon as that is in production, I will look at this ticket again.

Closing ticket because we are not enhancing/working on Trac any more.

Login to comment on this ticket.

Metadata