pyramid_persona and unexpected logout behavior

75 views
Skip to first unread message

Peter

unread,
May 14, 2013, 2:58:21 PM5/14/13
to pylons-...@googlegroups.com
I'm fairly new to pyramid and mozilla persona and I would greatly appreciate some assistance with a problem I'm having.  Following the pyramid_persona documentation, I did manage to get persona working (or so I thought).  I then tried customizing my login process as discussed on https://pyramid_persona.readthedocs.org/en/latest/customization.html.

In the customized login example given, the login function redirects to '/' if the verified email is not on the whitelist.  I'm redirecting to a loggedout view that calls navigator.id.logout() inside $(document).ready.  According to https://developer.mozilla.org/en-US/docs/Mozilla/Persona/The_implementor_s_guide/Call_logout%28%29_after_a_failed_login?redirectlocale=en-US&redirectslug=Persona%2FThe_implementor_s_guide%2FCall_logout%28%29_after_a_failed_login, you must call navigator.id.logout() on a failed login to avoid an endless loop of failed login attempts.

The documentation on https://developer.mozilla.org/en-US/docs/DOM/navigator.id.logout further states: "This function does not make the browser clear the user's certificate and signing key. So after calling logout(), a new login attempt may or may not ask the user for a new password, depending on the freshness of the certificate their identity provider gave them. However, it will certainly prompt the user to select an email address and confirm that they want to sign in."  I'm not seeing the behavior where the user is prompted to select an email address and confirm they want to sign in.

After logging out via the pyramid_persona logout button or as a result of using an email address not on my whitelist (both paths do call navigator.id.logout), if I attempt to go to one of the application's urls which require permissions, I'm redirected to the forbidden view (with the mozilla persona login button).  This redirection is expected behavior, but it then immediately executes the login sequence without hitting the mozilla persona login button.  To prevent the auto-relogin behavior, I also have to go to https://login.persona.org and click the "Sign Out" button after logging out of the application.  I get this auto-relogin behavior whether I use my customized login view or the one provided by pyramid_persona.

I'm sure I'm doing something wrong and I would appreciate some pointers on how to correct this issue.  I just found these, so maybe it's not me?

https://github.com/mozilla/browserid/issues/3386
https://github.com/mozilla/browserid/pull/3398

Thank you in advance for your assistance,

Peter

Georges Dubus

unread,
May 15, 2013, 5:35:48 AM5/15/13
to pylons-...@googlegroups.com
Hello

Thanks for reporting the problem.

I believe this is the same bug as https://github.com/madjar/pyramid_persona/issues/12 . At some point, I forgot that navigator.id.logout() should be called in case of failed login and removed it.

I'll solve the problem as soon as possible, and I'll re-read the implementor's guide while I'm at it, to make sure I missed nothing else.

Georges

Georges Dubus

unread,
May 23, 2013, 10:41:38 AM5/23/13
to pylons-...@googlegroups.com
Hello

I just uploaded a new version that should solve your problem. It change the way to redefine the login view, so please update yours according to https://pyramid_persona.readthedocs.org/en/latest/customization.html#do-extra-work-or-verification-at-login .

Can you tell me if it solved your problem ?


Georges

Le mardi 14 mai 2013 20:58:21 UTC+2, Peter Santoro a écrit :

Peter Santoro

unread,
May 29, 2013, 3:06:06 PM5/29/13
to pylons-...@googlegroups.com
Georges,

Thank you for the new version, but I believe the issue that I encountered is different.  I believe the customized login view sample code is incomplete (at least for persona novices).  Isn't the user already logged in via persona by the time the login function determines that the email is not in the whitelist?  If so, shouldn't the client be redirected to a url that will automatically call navigator.id.logout?  Perhaps a comment similar to the following will suffice:

def login(request):
    email = verify_login('email')
    if email not in whitelist:
        request.session.flash('Sorry, you are not on the list')
        return {'redirect': '/'} # note: redirected url must call navigator.id.logout

Here's another change that you may want to make to __init__.py:

Instead of:
authn_policy = AuthTktAuthenticationPolicy(secret, hashalg='sha512')

Allow users to set a groupfinder callback:
 groupfinder = settings.get('persona.groupfinder', None)
authn_policy = AuthTktAuthenticationPolicy(secret, hashalg='sha512', callback=groupfinder)

Thank you again for your work on the pyramid_persona library. It is much appreciated.

Peter

Jonathan Vanasco

unread,
May 29, 2013, 4:39:21 PM5/29/13
to pylons-...@googlegroups.com
i'm not sure if this applies or not, but Safari doesn't accept cookies on a redirect.  Most (possibly all) of the other browsers do.  So if you're setting a cookie and then redirecting, Safari ignores it.

Georges Dubus

unread,
May 30, 2013, 6:54:03 AM5/30/13
to pylons-...@googlegroups.com
Jonathan: I got rid of the redirect in last update, so that should not be the problem. Isn't setting a cookie and redirecting advised in the pyramid documentation by the way (in here fore example : http://pyramid.readthedocs.org/en/latest/tutorials/wiki2/authorization.html#add-login-and-logout-views) ?

Peter: I was working with the idea that if the user is not in the white-list, he is logged-in anyway but denied access to everything. That may not be a good way to do it, and it sure isn't intuitive. I'll check if there is a recommendation from the persona team about that.

If I switch to the "don't log if not on the list" approach, I'll make it so that login() returns something like {'redirect' :'/', 'success': True}. The javascript callback then calls navigator.id.logout() based on the 'success' value.

For the callback, I believe it's simpler to tell the user to override the authentication policy. I'll add it in the docs.


2013/5/29 Jonathan Vanasco <jona...@findmeon.com>
i'm not sure if this applies or not, but Safari doesn't accept cookies on a redirect.  Most (possibly all) of the other browsers do.  So if you're setting a cookie and then redirecting, Safari ignores it.

--
You received this message because you are subscribed to a topic in the Google Groups "pylons-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pylons-discuss/FMpCKZoTGNA/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--
Georges

Chris McDonough

unread,
May 30, 2013, 7:07:31 AM5/30/13
to pylons-...@googlegroups.com
On Thu, 2013-05-30 at 12:54 +0200, Georges Dubus wrote:
> Jonathan: I got rid of the redirect in last update, so that should not
> be the problem. Isn't setting a cookie and redirecting advised in the
> pyramid documentation by the way (in here fore example :
> http://pyramid.readthedocs.org/en/latest/tutorials/wiki2/authorization.html#add-login-and-logout-views) ?
>
FTR, I think not setting a cookie on a 302 redirect was present in
Safari circa 2009-2011, but recent versions set it fine, at least
according to Google.

- C

Peter Santoro

unread,
May 30, 2013, 8:15:19 AM5/30/13
to pylons-...@googlegroups.com
Georges,

I like the approach of returning a success flag from the login view.  Since the client posts to the login view via an XMLHttpRequest in pyramid_persona, this is a better solution.  I should have thought of that.  The first item in the Mozilla Persona implementer's guide discusses the issue of calling navigator.id.logout after a failed login:

https://developer.mozilla.org/en-US/docs/Mozilla/Persona/The_implementor_s_guide?redirectlocale=en-US&redirectslug=Persona%2FThe_implementor_s_guide

Peter

Georges Dubus

unread,
May 30, 2013, 8:22:18 AM5/30/13
to pylons-...@googlegroups.com
Then let's do that. It's simpler if the logging state of the application matches the logging state of persona. I'll make this modification as soon as I can.


2013/5/30 Peter Santoro <pe...@psantoro.net>
--
You received this message because you are subscribed to a topic in the Google Groups "pylons-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pylons-discuss/FMpCKZoTGNA/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--
Georges

Georges Dubus

unread,
May 30, 2013, 10:02:28 AM5/30/13
to pylons-...@googlegroups.com
I just pushed the modification[1]. Peter, can you take a look, try the last git version, and tell me if this works for you ?

[1] https://github.com/madjar/pyramid_persona/commit/5aae867d696c75d05aaa69ea979f2baaec463f1f


2013/5/30 Georges Dubus <george...@gmail.com>



--
Georges

Jonathan Vanasco

unread,
May 30, 2013, 10:50:45 AM5/30/13
to pylons-...@googlegroups.com
On Thursday, May 30, 2013 6:54:03 AM UTC-4, Georges Dubus wrote:
Jonathan: I got rid of the redirect in last update, so that should not be the problem. Isn't setting a cookie and redirecting advised in the pyramid documentation by the way (in here fore example : http://pyramid.readthedocs.org/en/latest/tutorials/wiki2/authorization.html#add-login-and-logout-views) ?

It's pretty much be the gold standard of web development to handle form submissions (including login/logut) with a redirect on "success". This keeps people from hitting reload and re-submitting the form.

A 2005 bug in webkit , left unfixed , made it's way into Apple's Safari.  I don't know if the newest version of Safari is affected, but Safari on 10.4-10.7 is.

Peter Santoro

unread,
May 30, 2013, 12:08:21 PM5/30/13
to pylons-...@googlegroups.com
Georges,

I tested your changes and they look good.  I'll try to email you an image of the firebug trace for the case where the new success flag was set to false by my customized login view.

Thank you,

Peter
Reply all
Reply to author
Forward
0 new messages