I want to connect tryton with Gluu using oxd-server, so that Tryton login Authentication can be done by Gluu.
Note - I am working on version 5.0
Can anyone help me how tryton will communicate with oxd-server ?
if I don’t mess myself, oxd-server is https://gluu.org/docs/oxd/
so I assume you want to develop a tryton module to add authentification method to use oxd-server.
you could take a look at others modules providing alternate authentification:
So you want to implement OpenID or OAuth with Tryton?
The way OpenID is designed will require customization on the client side because the client needs to contact the identify provider for identity token. It is probably doable by customizing the Login class of both clients.
But before starting, I think it is good to think if it is really useful. OpenID/OAuth are designed to delegate authentication to third party but is it really wanted for a business application where users are well known and must be given specific access/role.
In the past I have played python-saml2 but didn’t go any further because of time. The idea was to have SSO with Tryton. This was done with a webapp.
With SAML the user was able to log in without providing any information. First the webapp sends some background information (which your browser sends) to the (internal) Identity Provider. This checks the authenticity and age of the information. If everything is correct, the IDP sends back a go. Otherwise the systems gets a no-go and the user should log in.
You can also think of a more simple system like Kerberos.
In the end, it would be nice to be able to use those kind of mechanisms as they are more and more used in business applications.
The third party can be yourself. You can set up your own IDP. Take for example a look at FreeIPA, they use kerberos for there SSO service.
For me, it is doable as client plugins as-is. But if someone starts to work on such plugin, we could improve the Login mechanism if he find some needs.
Then you loose the main interest of those systems which is not manage the authentication.
For OpenID or Oauth you are right, but there are (the bigger) companies and organizations who want to have one username and password for all there applications. Generally speaking one place where the usernames an passwords live. OpenID or Oauth are the other way around, multiple places where the usernames and passwords live.
I think, Tryton can support both. We are using the authentication_ldap module to have username and password exactly the same as the login for windows, email etc. It would be nice to have something where the user just presses <enter> without entering a password and even able to login because of a Kerberos ticket.
Yes, I want to develop a tryton module to add authentication method to use oxd-server for the client side
This is such a great conversation held.
Actually in my organisation, User will use different different Application, so I need to centralized the authentication process.
I will setup Gluu on a server and tryton will setup on different server.
So what customization need to be done for establishing the connection between tryton and Gluu using oxd-server on client side ?
As per my knowledge, via Ldap I can’t implement SSO.
And I want to implement SSO also, that’s why I am trying to setup oxd-server.
The current Tryton LDAP module is able to log you in with the same username and password as you logged in into your system for example. It can be a start but is indeed not SSO.
If you want to implement SSO just within your organization and you have a Linux server backend, I recommend to use Kerberos. Eventually you can use LDAP as your username / password storage.
So the first thing I would do, is to setup a working test system with Kerberos, eventually using freeIPA, which does a LOT for you.
Then the next thing is to look if it is possible to log into Tryton with the Kerberos ticket. You can read a bit more about Python and Kerberos at Using the Python Kerberos Module — Nick Coghlan's Python Notes 1.0 documentation.
Here is a proposal to support SAML Issue 11582: Support authentication by SAML identity provider - Tryton issue tracker
SAML seems more appropriate for business usage than OpenID but it should be possible to implement similar module for OpenID.
Will this also make OAuth2 possible? And can we also look at Kerberos? It seems there should be already some code somewhere, Issue 4412: Allow login using Kerberos authentication - Tryton issue tracker has reviews, but I can’t find anything. Personally I’m more interested in Kerberos because I’m using it myself 
OAuth2 is very similar to SAML so I think so.
I do not know if Kerberos authentication can be done through URL. But as far as I can see it is using a specific protocol so it will require custom code/library on client side.
I’ve running a small test with flask and kerberos with GitHub - deshaw/flask-kerberos: Kerberos Authentication for Flask as library. At the server side you have to export a keytab from the kerberos-server and insert that into the server.
At the client side, you must have logged in and have a valid kerberos ticket. If so, you send that ticket to the server, which will check the ticket against the keytab. The complete flow is described here Using the Python Kerberos Module — Nick Coghlan's Python Notes 1.0 documentation. So for the client itself, a kerberos library is needed which can read the ticket. A webbrowser has everything already available.
So the client just sends a request, the server responds with a 401 and the client then sends the ticket and the server will respond to that.
Looking at the SAML thing, you basically do the same, check the identity, if not, send a 401 or 404. Then the client knows that there is more to do. I think a separate module for kerberos with the same behavior as SAML will work.
Big question is however, can we fallback to a password authentication for example or have MFA still available?