I’m trying to get Kerberos authentication working with Tryton version 6.6. It’s mostly working and straight forward, but I walked into a problem when things are not right.
When a user is not authenticated, unauthorized or there is an error, the webpage is showing the error, but there is nothing to get the client back or to stop it. Killing the client is the only thing to do or wait 5 minutes for a popup that is shown saying that a session could not be created. And then click on ‘close’ to completely close the Tryton client. This prevents the user to use the default login method like password.
I would suggest to show a button on the page when authentication failed. The user can click on it to return back to the client and try the next authentication method. An extra button with ‘cancel’ can also be useful to just stop and completely close the Tryton client. Also the username is lost when the login attempt failed.
The user has then two options. Try to get a new ticket and retry or just close the page. When the page is closed the url is redirected to the localhost with all the data None so no login is created. The client pops up again with the error that there is no session created.
I will do a lot of clean up and hopefully it can be added as a standard module. At the moment it’s just over 200 lines including blank lines and comments.
Just one question:
It seems that everything is working but normally in the header there is the WWW-Authenticate key with the Kerberos token. Setting this in the header, will it be added to the Tryton client headers?
Ok, so no need to send that one back. When the user has logged in with a valid ticket and got a session, that session will basically overrule the lifetime of the ticket right? So when a user is working in Tryton and the ticket got invalid because the renewal did go wrong, the user is still able to work in Tryton until that session should be renewed and checked. Maybe I’m to concerned and is this a non-issue, but if it is possible to set the lifetime of the Tryton session the same as the ticket (or a bit longer), that would be a nice thing to have.
As I am not a regular developer, before I upload the code is it safe to duplicate the authentication_saml module and make my changes. Or is it better to create a new module from scratch? And if so, is the coockiecutter method still valid?
I created a small test what is needed to get Kerberos working without a browser and made some small changes to the authentication_kerberos module and to the desktop client itself. In the file https://foss.heptapod.net/tryton/tryton/-/blob/branch/default/tryton/tryton/common/common.py I imported the requests and requests_kerberos packages:
from requests_kerberos import HTTPKerberosAuth, DISABLED
And replaced https://foss.heptapod.net/tryton/tryton/-/blob/branch/default/tryton/tryton/common/common.py#L1033 with
if not CONFIG['login.service']:
url = CONFIG['login.service']
r = requests.get(url, auth=HTTPKerberosAuth(mutual_authentication=DISABLED, sanitize_mutual_error_response=False))
if r.status_code == 200:
res = r.json()
That’s enough to get Kerberos working, but completely disables any other login services like saml. The question is how to make a distinction between them and other services.
Looking in to the code, you have to register the service so when the client connects, the server sends those authentication services to the client. Currently the name and url are registered and I propose to add another variable redirect which tells the client to use the web browser for authentication. This variable is default set as True.
Maybe another way is to use a plugin, but I have no idea how that will fit in.