[Django] #25029: When external authentication via REMOTE_USER is only configured on /admin/login/, the authentication does not persist
Django
/admin/login/, the authentication does not persist
-------------------------------+--------------------
Reporter: adelton | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
The ticket #17869 made sure that if the REMOTE_USER header is not present,
user is logged out in Django as well. Ticket #23066 moved the logic to
different method but the semantic stayed the same.
However, for certain external authentication mechanisms, it makes sense
that the frontend server (Apache) is configured to only authenticate
single URL, like /admin/login/. For example with Kerberos, we do not want
the negotiate to happen upon every request -- we want Django to accept the
external authentication, create the session, and then use that session
until the user explicitly log out.
I assume changing the current behaviour of RemoteUserMiddleware is not
acceptable so I'm proposing new middleware, OptionalRemoteUserMiddleware,
to allow the REMOTE_USER to be only present once.
--
Ticket URL: <https://code.djangoproject.com/ticket/25029>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by adelton):
* cc: adelton (added)
* needs_docs: => 0
* has_patch: 0 => 1
* needs_tests: => 0
* needs_better_patch: => 0
Comment:
Proposed patch https://github.com/django/django/pull/4924.
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:1>
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by carljm):
Is there any compelling benefit to having this in core Django rather than
an external library?
I'm not convinced the need is frequent enough to have it in core Django.
(Even `RemoteUserMiddleware` itself is on the edge, IMO).
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:2>
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by adelton):
Replying to [comment:2 carljm]:
> Is there any compelling benefit to having this in core Django rather
than an external library?
The benefit is increased number of deployments of **existing**
applications that can be done by changing one line in MIDDLEWARE_CLASSES
in settings.py. In many cases the person deploying that application which
needs to consume external authentication is not a programmer and dealing
with extra code is a blocker. Having the option come directly with Django
seems more straightforward. From maintenance point of view, the class
touches some internals of Django that it seems best to have it with the
rest of the `RemoteUserMiddleware` code so that should the internals
change, people are not faced with the task of getting correct version of
the external library.
Normally I'd say that `RemoteUserMiddleware` should not even insist on
seeing the REMOTE_USER filled upon every request but I guess changing the
current behaviour might be disruptive, that's why I'm proposing a way for
admin to be explicit with their choice of behaviour.
The traditional model of REMOTE_USER being produced primarily by setups
with HTTP Basic Auth which keeps sending the credentials with every
request and thus the username available with every request is no longer
there as virtually noone uses Basic Authentication, while external
authentication in frontend HTTP server can bring benefits especially in
large organizations when the Apache modules are used for cross-realm
authentication or identity federation. The typical use-case is then to
override or extend one (logon) URL. We have a writeup about the approach
at http://www.freeipa.org/page/Web_App_Authentication.
Another benefit for Django as a project is that it would make it much
easier to use Django in demos of external authentications, be it Kerberos,
SAML, or other.
> I'm not convinced the need is frequent enough to have it in core Django.
(Even `RemoteUserMiddleware` itself is on the edge, IMO).
It's not in core Django, it's in `django/contrib/auth`. I thought the
contrib in the name makes it a good place to live, especially for
"integration" code like this.
You might not see many `RemoteUserMiddleware` deployments exactly for the
reason that with other authentication mechanisms than Basic Auth, it's
currently not particularly useful.
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:3>
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by carljm):
Ok, I'm convinced that this new variant is at least as useful as
`RemoteUserMiddleware` itself. I won't stand in the way. Thanks for the
expanded rationale.
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:4>
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by aaugustin):
See #17869 for the opposite request.
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:5>
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by adelton):
I've updated the pull request to use the class name
`PersistentRemoteUserMiddleware` as proposed during the review.
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:6>
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by claudep):
* needs_docs: 0 => 1
* type: Uncategorized => New feature
* needs_tests: 0 => 1
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:7>
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Easy pickings: 0 | UI/UX: 0
Comment (by adelton):
I've now added commits with basic test and amended remote user
authentication document to the pull request.
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:8>
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Easy pickings: 0 | UI/UX: 0
Changes (by adelton):
* needs_docs: 1 => 0
* needs_tests: 1 => 0
Comment:
New squashed and rebased commit 83de95a1b777890e710dc2fa867dc8a36eb34c71
has tests and documentation fixes.
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:9>
Django
/admin/login/, the authentication does not persist
Reporter: adelton | Owner: nobody
Type: New feature | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"a570701e02e0bc09d977c8ae0b6ee987a1190039" a570701]:
{{{
#!CommitTicketReference repository=""
revision="a570701e02e0bc09d977c8ae0b6ee987a1190039"
Fixed #25029 -- Added PersistentRemoteUserMiddleware for login-page-only
external authentication.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25029#comment:10>