I’m trying to get Kerberos authentication working with Tryton version 6.6. It’s mostly working and straight forward, but I walked into a problem when things are not right.
When a user is not authenticated, unauthorized or there is an error, the webpage is showing the error, but there is nothing to get the client back or to stop it. Killing the client is the only thing to do or wait 5 minutes for a popup that is shown saying that a session could not be created. And then click on ‘close’ to completely close the Tryton client. This prevents the user to use the default login method like password.
I would suggest to show a button on the page when authentication failed. The user can click on it to return back to the client and try the next authentication method. An extra button with ‘cancel’ can also be useful to just stop and completely close the Tryton client. Also the username is lost when the login attempt failed.
No, I am developing such a module which can authenticate with a Kerberos ticket. This module checks the ticket against a keytab file. I’m using GitHub - deshaw/flask-kerberos: Kerberos Authentication for Flask as an example and got everything working. But I walked into the said problem.
Yes, but after starting a terminal, search the PID and then kill that PID. Not really user friendly.
That’s completely valid, but when I send a 401, 403 or 500 the error is displayed and the browser is not closed. So I send a response and the webbrowser displays it, but the bit to the Tryton client seems missing. For that it would be nice to display a small page like when the authentication flow is completed (https://foss.heptapod.net/tryton/tryton/-/blob/branch/default/tryton/tryton/common/common.py#L1058)
I will dig deeper and see if I can come up with something.
Server responds with a 401 and ‘WWW-Authenticate’ : ‘Negotiate’ in the header
Client takes the kerberos ticket and sends it to the server in the ‘Authorization’ header
Server checks the ticket and grant permission or not
This works all well until there is no kerberos ticket. The server responds, but the client doesn’t have a ticket. So the client doesn’t respond anymore.
The solution would indeed be to serve a small page with a button in a Response object. Will work on that to see if it will work.
The user has then two options. Try to get a new ticket and retry or just close the page. When the page is closed the url is redirected to the localhost with all the data None so no login is created. The client pops up again with the error that there is no session created.
I will do a lot of clean up and hopefully it can be added as a standard module. At the moment it’s just over 200 lines including blank lines and comments.
Just one question:
It seems that everything is working but normally in the header there is the WWW-Authenticate key with the Kerberos token. Setting this in the header, will it be added to the Tryton client headers?
Ok, so no need to send that one back. When the user has logged in with a valid ticket and got a session, that session will basically overrule the lifetime of the ticket right? So when a user is working in Tryton and the ticket got invalid because the renewal did go wrong, the user is still able to work in Tryton until that session should be renewed and checked. Maybe I’m to concerned and is this a non-issue, but if it is possible to set the lifetime of the Tryton session the same as the ticket (or a bit longer), that would be a nice thing to have.
As I am not a regular developer, before I upload the code is it safe to duplicate the authentication_saml module and make my changes. Or is it better to create a new module from scratch? And if so, is the coockiecutter method still valid?