OAuth2 SSO for RT with Github/Google/etc

Hi,

My name is Michiel Beijen and I’m a software developer based in The
Netherlands. Previously I’ve worked for OTRS.com, the producers of an
open source ticketing system written in Perl, pretty much like RT.

Recently I’ve responded to questions from ask and Robert at the
Perl.org NOC, http://log.perl.org/2015/08/want-to-help.html who wanted
to get some stuff done but did not have any tuits.

One of their ideas is to replace Bitcard sign up for rt.perl.org with
something that does SSO with sources such as github.com and Google,
because Bitcard has not taken off a lot and the implementation on RT
is not so nice. This might make the barrier to getting RT accounts
easier.

I’ve looked into this a bit and would like to consider implementing.
Obviously I’d like to leverage one of the existing Oauth2 modules on
CPAN, write the integration with RT and publish this RT extension as a
module on CPAN.

Previously I’ve used RT only as a CPAN module maintainer or to file
bugs on modules, I just recently started reading through the
documentation and reading through the documentation.

My questions:

  • Did anyone create such an integration previously? I tried searching
    CPAN, Github, the mailinglists but did not find such a thing yet.

  • I think I know how to modify the login page to add ‘sign in with
    Github’ etc buttons. I also know how to send the request to the oauth
    provider and how to handle the response, as well as how OAuth2
    authentication flow works in general. But for this to work properly, I
    need to be able to save some data in the RT database related to users;
    I read into the documentation but did not find a way how to make
    extensions modify the RT database. I’m sure I did not search hard
    enough. Can anyone share any pointers?

  • I was planning on using LoadOrCreateByEmail() to fetch the email
    address from the Oauth2 provider and create an account if needed.
    https://bestpractical.com/docs/rt/4.2/RT/User.html#LoadOrCreateByEmail-ADDRESS
    Is this the right approach? I found this method has hardcoded
    ’Autocreated when added as a watcher’ in the Comments field, which
    seems a bit strange as the Watcher functionality does not seem the
    only usecase for this method. See
    https://github.com/bestpractical/rt/blob/stable/lib/RT/User.pm#L540

Thanks in advance!

Michiel

Hello Michiel,

Since this is still the first hit on the forum, I’m going to fill in this blank:

  1. Someone at bestpractical created it: https://github.com/bestpractical/rt-authen-oauth2
  2. It was made in december, a year after your question

I’d really like to start using it in RT 4.2, as it seems to work fine. My current route with Externalauth and a homegrown RPC call asks for more work.

Bestpractical: Where can we post suggestions for this plugin? Will you be releasing it? Or shall we (as a community) fork/improve it?

Regards,
Kai

Hi Kai,

We will be releasing it once it undergoes some more testing. You’re certainly welcome to submit patches and suggestions! :slight_smile:

Best,
Shawn

Thanks shawn,

Issues are disabled on that repo, but I’ll submit a few patches so we can use it in a more practical way.

Cheers,

Hmm.

The biggest problem is its current configurability. You cannot define your own IDP as it will
give you loads of warnings:

Change of config option ‘OAuthIDP’ at /usr/share/request-tracker4/plugins/RT-Authen-OAuth2/etc/OAuth2_Config.pm line 36 has been ignored. It may be ok, but we want you to be aware. This option has been set earlier in /etc/request-tracker4/RT_SiteConfig.pm line 170. at /usr/share/request-tracker4/lib/RT/Config.pm line 1414

Is this something that does not occur on RT4.4?