Ticket #153 (closed task: wontfix)

Opened 6 years ago

Last modified 5 years ago

Add a single sign on feature for TN.org

Reported by: ed Owned by: jim
Priority: major Milestone: Phase 4
Component: Drupal modules & settings Keywords:
Cc: Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 3.5

Description

we need a single sign on (/ multi-site API) feature for TN.org for phase 3:

  1. coherent links with the workspaces on workspaces.tn.org
  2. coherent links with other Transition sites - e.g. the incoming Transition drupal, other national hubs and possibly others
  3. some form of API sharing with things like facebook (not sure if this is the same thing but trying to capture some needs here)

things looked at or recommended:
Openauth: http://oauth.net/
CAS: http://drupal.org/project/cas
SSO: http://drupal.org/project/sso

Change History

comment:1 Changed 6 years ago by ed

  • Milestone set to Phase 3

further to meet Jim/Ed?, oAuth looked at and requested (also as standard for other sites).

comment:2 Changed 6 years ago by ed

  • Priority changed from major to critical

comment:3 Changed 6 years ago by jim

  • Add Hours to Ticket changed from 0.0 to 0.2
  • Total Hours changed from 0.0 to 0.2

Hmmm....

Hitch 1
We must
EITHER: use an obsolete Drupal module version of oAuth (oAuth Common, no longer being worked on since oAuth 3 does its job) and existing good services (v2.4)
OR: we use an experimental version of Services (3.x alpha1) and a have a future-proof design. With bugs.

I reckon we have to go with the future proof version and help fix the bugs...

See http://drupal.org/project/oauth and http://drupal.org/project/services

comment:4 Changed 6 years ago by ed

Future proofing is the way forward naturally - the services node makes it explicit that it's only for those prepared to tinker.

  1. i can't see any reference to oAuth on services node (while regularly referred to in social networks etc.)
  2. anything wrong with oAuth3?

comment:5 Changed 6 years ago by jim

  • Add Hours to Ticket changed from 0.0 to 1.0
  • Total Hours changed from 0.2 to 1.2

BIG CAN OF WORMS... Still researching but from http://stackoverflow.com/questions/2033026/sso-with-cas-or-oauth:

So, OAuth is not about Single Sign-On (nor a substitute for the CAS protocol). It is not about you controlling what the user can access. It is about letting the user to control how their resources may be accessed by third-parties. Two very different use-cases.

In other words, no one-size fits all. Plus there are a bunch of oAuth-related modules and piss-poor documentation on Drupal.org.

Going to come back to this with a clear head...

comment:6 Changed 6 years ago by ed

suggest leaving oAuth and re-focusing on the first use case for this, which is to enable a single sign on that works between workspaces and the main site then. could file this under a classic case of user suggesting unsuitable answer to simple use case for now? workspaces and main site seamless login utterly vital...

comment:7 Changed 6 years ago by jim

  • Add Hours to Ticket changed from 0.0 to 2.0
  • Total Hours changed from 1.2 to 3.2

Went with CAS as per email...

It's kind of working on DEV - if you go to http://workspaces.dev.transitionnetwork.org.webarch.net/ and try to log in (notice the new block) then you're taken to the main dev site, then you log in, but then though you're logged in there's an access denied error... Logged in though. Hmm...

BUT importantly the SSO is working, even though it's not that user friendly with the access error.

Will continue to play/debug/cry...

SERVER note

Had to install Curl and phpCAS to get his working on DEV:

comment:8 Changed 6 years ago by jim

  • Status changed from new to accepted

Modules coming to LIVE tonight... will play in DEV further.

comment:9 Changed 6 years ago by ed

Working - a bit ugly - needs a few more hours on LIVE - and changing button text and re-directing users to the correct page.

comment:10 Changed 6 years ago by jim

  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 3.2 to 3.35

CAS module updated on DEV, still getting this 'Access denied' BS...

See: http://drupal.org/node/420982 and http://drupal.org/project/issues/cas?text=access+denied&status=Open&priorities=All&categories=All&version=All&component=All

Will weigh in on CAS issues list.

comment:11 Changed 6 years ago by jim

  • Status changed from accepted to closed
  • Priority changed from critical to major
  • Total Hours changed from 3.35 to 3.5
  • Type changed from enhancement to task
  • Add Hours to Ticket changed from 0.0 to 0.15
  • Milestone changed from Phase 3 to Phase 4
  • Resolution set to fixed

As discussed with Ed: Ed will see what the deal is with users being kicked out...

Sit Rep: Same as above, module WORKS but redirects to a 'access denied' page, thus falling at the last hurdle. Logins work, everything is groovy, user experience BAD...

Will add my voice to the issues list at http://drupal.org/project/issues/cas

If time, will debug the module, but can't easily because of the need for SSL that's not present on my machine.

Pushing to Phase 4 - apols Ed if this isn't what you meant earlier...

comment:12 Changed 6 years ago by jim

  • Status changed from closed to reopened
  • Resolution fixed deleted

didn't mean to close.

comment:13 Changed 5 years ago by ed

is this going to be related in some way to #262?

comment:14 Changed 5 years ago by jim

#263 (updates) and #224 (varnish) will remove Secure Pages and might make this work better... Will revisit at the end.

Might well be handy for TUS stuff.

comment:15 Changed 5 years ago by ed

  • Status changed from reopened to closed
  • Resolution set to wontfix

closing for now as likelihood will be to use third party authentication service from FB, Google to get PSE off the ground...

Note: See TracTickets for help on using tickets.