===================== Authentication to FAS ===================== The :ref:`Fedora-Account-System` has a :term:`JSON` interface that we make use of to authenticate users in our web apps. Currently, there are two modes of operation. Some web apps have :term:`single sign-on` capability with :ref:`FAS`. These are the :term:`TurboGears` applications that use the :mod:`~fedora.tg.identity.jsonfasprovider`. Other apps do not have :term:`single sign-on` but they do connect to :ref:`FAS` to verify the username and password so changing the password in :ref:`FAS` changes it everywhere. .. _jsonfas2: TurboGears Identity Provider 2 ============================== An identity provider with :term:`CSRF` protection. This will install as a TurboGears identity plugin. To use it, set the following in your :file:`APPNAME/config/app.cfg` file:: identity.provider='jsonfas2' visit.manager='jsonfas2' .. seealso:: :ref:`CSRF-Protection` .. automodule:: fedora.tg.identity.jsonfasprovider2 :members: JsonFasIdentity, JsonFasIdentityProvider :undoc-members: .. automodule:: fedora.tg.visit.jsonfasvisit2 :members: JsonFasVisitManager :undoc-members: .. _jsonfas1: Turbogears Identity Provider 1 ============================== These methods are **deprecated** because they do not provide the :term:`CSRF` protection of :ref:`jsonfas2`. Please use that identity provider instead. .. automodule:: fedora.tg.identity.jsonfasprovider1 :members: JsonFasIdentity, JsonFasIdentityProvider :undoc-members: :deprecated: .. automodule:: fedora.tg.visit.jsonfasvisit1 :members: JsonFasVisitManager :undoc-members: :deprecated: .. _djangoauth: Django Authentication Backend ============================= .. toctree:: :maxdepth: 2 django .. _flask_fas: Flask Auth Plugin ================= .. toctree:: :maxdepth: 2 flask_fas .. _flaskopenid: Flask FAS OpenId Auth Plugin ============================ The flask_openid provider is an alternative to the flask_fas auth plugin. It leverages our FAS-OpenID server to do authn and authz (group memberships). Note that not every feature is available with a generic OpenID provider -- the plugin depends on the OpenID provider having certain extensions in order to provide more than basic OpenID auth. * Any compliant OpenID server should allow you to use the basic authn features of OpenID OpenID authentication core: http://openid.net/specs/openid-authentication-2_0.html * Retrieving simple information about the user such as username, human name, email is done with sreg: http://openid.net/specs/openid-simple-registration-extension-1_0.html which is an extension supported by many providers. * Advanced security features such as requiring a user to re-login to the OpenID provider or specifying that the user login with a hardware token requires the PAPE extension: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html * To get groups information, the provider must implement the https://dev.launchpad.net/OpenIDTeams extension. * We have extended the teams extension so you can request a team name of ``_FAS_ALL_GROUPS_`` to retrieve all the groups that a user belongs to. Without this addition to the teams extension you will need to manually configure which groups you are interested in knowing about. See the documentation for how to do so. * Retrieving information about whether a user has signed a CLA (For Fedora, this is the Fedora Project Contributor Agreement). http://fedoraproject.org/specs/open_id/cla If the provider you use does not support one of these extensions, the plugin should still work but naturally, it will return empty values for the information that the extension would have provided. .. toctree:: :maxdepth: 2 flask_fas_openid .. _faswho: FAS Who Plugin for TurboGears2 ============================== .. toctree:: :maxdepth: 2 faswho