Authentication to FAS

The Fedora Account System has a JSON interface that we make use of to authenticate users in our web apps. Currently, there are two modes of operation. Some web apps have single sign-on capability with Fedora Account System. These are the TurboGears applications that use the jsonfasprovider. Other apps do not have single sign-on but they do connect to Fedora Account System to verify the username and password so changing the password in Fedora Account System changes it everywhere.

TurboGears Identity Provider 2

An identity provider with CSRF protection.

This will install as a TurboGears identity plugin. To use it, set the following in your APPNAME/config/app.cfg file:

identity.provider='jsonfas2'
visit.manager='jsonfas2'

See also

CSRF Protection

Turbogears Identity Provider 1

These methods are deprecated because they do not provide the CSRF protection of TurboGears Identity Provider 2. Please use that identity provider instead.

Django Authentication Backend

• Fedora Django Authentication Backend
  • fedora.django.auth

Flask Auth Plugin

• FAS Flask Auth Plugin
  • Configuration
  • Sample Application

Flask FAS OpenId Auth Plugin

The flask_openid provider is an alternative to the flask_fas auth plugin. It leverages our FAS-OpenID server to do authn and authz (group memberships). Note that not every feature is available with a generic OpenID provider – the plugin depends on the OpenID provider having certain extensions in order to provide more than basic OpenID auth.

• Any compliant OpenID server should allow you to use the basic authn features of OpenID OpenID authentication core: http://openid.net/specs/openid-authentication-2_0.html
• Retrieving simple information about the user such as username, human name, email is done with sreg: http://openid.net/specs/openid-simple-registration-extension-1_0.html which is an extension supported by many providers.
• Advanced security features such as requiring a user to re-login to the OpenID provider or specifying that the user login with a hardware token requires the PAPE extension: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html
• To get groups information, the provider must implement the https://dev.launchpad.net/OpenIDTeams extension.
  • We have extended the teams extension so you can request a team name of _FAS_ALL_GROUPS_ to retrieve all the groups that a user belongs to. Without this addition to the teams extension you will need to manually configure which groups you are interested in knowing about. See the documentation for how to do so.
• Retrieving information about whether a user has signed a CLA (For Fedora, this is the Fedora Project Contributor Agreement). http://fedoraproject.org/specs/open_id/cla

If the provider you use does not support one of these extensions, the plugin should still work but naturally, it will return empty values for the information that the extension would have provided.

• FAS Flask OpenID Auth Plugin
  • Configuration
  • Sample Application

FAS Who Plugin for TurboGears2

• FASWho Plugin
  • Authenticating against FAS with TurboGears2
  • Using CSRF middleware with other Auth Methods
  • Templates