polytechnique-org / xorgauth Goto Github PK
View Code? Open in Web Editor NEWPolytechnique.org Authentication / Authorization provider
License: GNU Affero General Public License v3.0
Polytechnique.org Authentication / Authorization provider
License: GNU Affero General Public License v3.0
What happens to the account of dead users? Right now, in the model there are both a field for active/disabled accounts and one for alive/dead users. This allows keeping active the accounts of dead users and disabling the accounts of alive user (without removing any data).
I suggest:
What do you think of this suggestion?
By the way, the death dates still need to be propagate back to the main DB in a way, in order to disable the subscription to the newsletter we send...
When a new user comes to auth.polytechnique.org, she needs to create an account first. This currently takes place on www.polytechnique.org/register , and there is a slight delay between the registration and the activation on auth.polytechnique.org. Write this down on the website so that users do not need to ask to know this.
Many people are writing to the support because they fail to log in with "firstname.lastname.65", because their study year is 1965. Of course "firstname.lastname.1965" works, but they seem to like "firstname.lastname.65". We should support the 2-digit study year at least for the 19XX years.
Currently the system support "external accounts" (users who never studied at the Ecole polytechnique), in order to be compatible with polytechnique.net. These users can currently use the authentication system in order to log in in relying parties website. There may be a need to restrict such an access by default, and enable it for specific relying parties. How do we do this?
Some people may want to use uppercase in their usernames/emails. In order for this to work transparently, the comparison in the database needs to be case-insensitive, when looking for a user. This can be easily implemented thanks to Django's __iexact
query modifier (https://docs.djangoproject.com/en/dev/ref/models/querysets/#iexact).
What do you think? Should I submit a PR implementing this?
The new identity provider needs to support the current clients, which uses a different protocol that OIDC.
There are three way the authentication process may work:
I do not known whether Django sessions time out, and it may be a good idea to implement it if there is a config option for this (this makes forgetting to log out on a shared computer less harmful).
A checkbox which selects between options 2 and 3 when login for OIDC would be good idea to implement. Is it technically possible?
Currently, the authentication only allows full human-readable ID ("prenom.nom.promo") or full email address. When there is no homonym, "prenom.nom" could also be used.
A way to perform this would be to detect when "prenom.nom" has been given, query the account database for "prenom.nom.%" wildcards and use the result if it is unique.
The previous site had a warning:
Cocher cette case te permet d'être automatiquement reconnu à ta prochaine connexion depuis cet ordinateur.
Il n'est pas conseillé de cocher la case si cette machine n'est pas strictement personnelle.
Re-add this text (with proper translation) as a message (formatted as a bootstrap warning for example) that is hidden unless the user checks the "never" expiry option at login.
Support the Discourse authentication protocol for the forums.
In the README notes, there is:
Use https://testpypi.python.org/pypi/django-zxcvbn-password/2.0.0 for password entry
It seems a good idea to implement it.
Users may want to change their password. Craft a page which allows this operation.
When using UnboundedCharField(unique=True)
with a MySQL database, the MySQL server raises an error, which breaks manage.py migrate
:
python manage.py migrate
Operations to perform:
Apply all migrations: accounts, admin, auth, authgroupex, contenttypes, oidc_provider, sessions
Running migrations:
Applying accounts.0001_initial...Traceback (most recent call last):
File "manage.py", line 22, in <module>
execute_from_command_line(sys.argv)
[...]
File "/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 174, in execute
self.errorhandler(self, exc, value)
File "/usr/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
django.db.utils.OperationalError: (1170, "BLOB/TEXT column 'display' used in key specification without a key length")
This happens with Role.display
, User.schoolid
and AuthGroupeXClient.name
. We should either drop the unique property from these fields or make them use a bounded varchar field.
When a user changes her password, the zxcvbn feedback is kept in English even though the website is in French. This is because django-zxcvbn-password
does not internationalize zxcvbn.js in https://github.com/Pawamoy/django-zxcvbn-password/tree/v2.0.1/src/zxcvbn_password/static/zxcvbn_password/js
A similar project, django_password_strength
, seems to internationalize the feedback in https://github.com/aj-may/django-password-strength/blob/1.2.1/django_password_strength/static/django_password_strength/js/password_strength.js but the project has not got any release since 2015.
As zxcvbn.js
itself comes from coffescript project https://github.com/dropbox/zxcvbn, this file cannot be easily modified (internationalized) without some hacky tricks. I see 3 options to get French zxcvbn feedback messages:
django_password_strength
if it works with recent Django releases (or make it work if not) ;django_password_strength
indirection code in s/password_strength.js
and add it to the static files so that it overwrites the file provided by django-zxcvbn-password
;zxcvbn.js
by hand and provide it in a localized directory loaded through some Django-urls magic related to internationalization.Choosing which option to take requires some work.
The password for the SMTPS/IMAPS/... services provided by Polytechnique.org has not been migrated and its configuration is in https://www.polytechnique.org/password/smtp . There should be a link on the profile page of auth.polytechnique.org, and a message on the password change page in order to warn users that the IMAP password is different from their Polytechnique.org password (some users are confused).
The website support English and French language. A user should be able to choose the language which is used.
Add a test which runs the commands in the README to make sure they work:
make update
make createdb
python manage.py importaccounts scripts/dev_data.json
In order to debug connection issues with users, and to record authentications, it would be useful to log successful connections and use of the authentication services (OIDC and authgroupex). A "standard" Django module might exist which performs this?
In the future, when there will be several OIDC clients, it will be useful when one has last been used, in order to know whether a key is still used for example. Currently django-oidc-provider records the creation date of a client, but not its date of last use (and the authgroupex endpoint records the date of last use).
This might requires some change in django-oidc-provider library.
On an iPhone screen, the language selection buttons overlaps with the login form, and the navigation bar takes three big rows! The look can surely be improved.
Some authgroupex clients use the groupe membership information in order to give admin rights on their websites. Right now the database can be synced with Polytechnique.org but this would erase passwords. The export script and the import commands need to be revisited in order to establish a working synchronization.
There are email aliases defined for each user. Allow using them when logging in.
cf. #1 (comment)
By default the Django session cookie does not have the secure attribute (to only send it over HTTPS). We should enable it on production mode (SESSION_COOKIE_SECURE
setting).
The same issue exists for CSRF_COOKIE_SECURE
, and while at it we can enable SECURE_SSL_REDIRECT
even though the web server config already upgrades HTTP request to HTTPS.
Doc : https://docs.djangoproject.com/en/2.0/ref/settings/#session-cookie-secure
The first public page (the root one) is currently missing. It would usually never be used in an authentication flow (when a relying party wants to authenticate a user) but users may want to check whether there are still connected and which clients they consented to use, and they may want to change their password.
In this context, I believe the front page should be a login form to the "profile" page, which should include links to the available actions (PR #13 creates such a page).
A user using Dashlane to store his credentials reported that Dashlane filled the "login or email" field with "Firstname Lastname" instead of the username (or an address), on the login page. The field seems to be mis-identified, and this may be caused by something in the HTML code.
Is it possible to modify the code of the login form in order to fix Dashlane's autofill feature? Does this issue affect other password managers, like LastPass?
Allow a user who has forgotten her password to recover it, for example with a form asking for the birth date and an email validation link (like https://www.polytechnique.org/recovery).
Sur la page d'identification WikiX, lorsque je clique sur "Me connecter", je suis redirigées vers une page d'erreur :
Redirect URI Error
The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri).
Cette même page indique pourtant que je suis connectée à Polytechnique.org...
Merci d'avance,
Knowing the birth date is useful when a user sends a mail to Polytechnique.org's team trying to recover her access to her account (along with other documents such as a scan of her ID card).
Moreover if the birth date is present in the database, we can ask for it in the password recovery form in order to slow down an attacker who would have access to the email inbox.
So I suggests adding a birth_date
field to model User
(which would be optional, as we do not know the birth date of some users), and importing it from the old database.
The website does not currently have a favicon (https://auth.polytechnique.org/). The one used on www.polytechnique.org should be copied...
While at it, the website would look a bit prettier with a logo in the top navbar.
Polytechnique.org's current website syncs the password with the Polytechnique.org-provided Google Apps. This is configured in specific profile pages (https://www.polytechnique.org/googleapps). xorgauth needs to provide this feature:
Some users can belong to several studies (e.g. an engineer who has done a PhD, and in the future a Bachelor who has become an engineer...). The authentication needs to return a list for the study years instead of a single value in such case.
In order to make relying parties aware of such an issue when they interact with the identity provider, we should transform the current value into a single-item list.
Not quite sure if posting here will solve anything but I have been trying to have support or contact for polytechnique.or deal with a lost password AND no access to reset email issue for the last 6 months... Hopefully someone will pick this up here ?
Add a .po file to make Django translate into French the custom messages which are rendered in HTML.
The human-readable unique identifier (HRID) is a useful information for client sites to identify a user. Some relying parties also want a "full_promo" description (X2010, M2042, D...).
Moreover an account may be associated with several promotions. We should decide whether we put a single one (the one also seen in the HRID) in the claims or all of them (in a list?). This also means deciding how to store this information in the database
To do:
Some group websites (eg. https://x-nucleaire.polytechnique.org/ ) rely on the SSO to authenticate their users. When the group has members who are not alumni, these members have "external accounts" in the database, and they can use the authentication system.
Currently activated external accounts work fine (ie. external accounts who already have a password), but pending accounts are not transmitted between Plat/al and auth.polytechnique.org , cf.
xorgauth/scripts/export_platal_to_json.py
Line 65 in 582b0ed
sql = """
SELECT a.uid, a.hruid, a.password, a.type, a.is_admin,
a.firstname, a.lastname, a.full_name, a.directory_name, a.display_name,
a.sex, a.email,
p.ax_id, p.xorg_id, pd.promo, pe.grad_year
FROM accounts AS a
LEFT JOIN account_profiles AS ap ON (ap.uid = a.uid AND FIND_IN_SET('owner', ap.perms))
LEFT JOIN profiles AS p ON (p.pid = ap.pid)
LEFT JOIN profile_display AS pd ON (pd.pid = p.pid)
LEFT JOIN profile_education AS pe ON (pe.pid = p.pid AND FIND_IN_SET(\'primary\', pe.flags))
WHERE a.state = 'active'
GROUP BY a.uid
"""
Could we change the WHERE
clause to WHERE a.state IN ('active', 'pending')
? Would such a change have nasty side effects?
For reference, the issue has been reported by a user, https://support.polytechnique.org/otrs/index.pl?Action=AgentTicketZoom;TicketID=125092 .
I have forgotten to export the AX ID of accounts in scripts/export_platal_to_json.py
and this field does not exist in User
model.
xorgauth.accounts.models.User
scripts/export_platal_to_json.py
scripts/dev_data.json
xorgauth/management/commands/importaccounts.py
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.