Passing an authenticated user to RT

Mike_Peachey · February 11, 2008, 10:18am

Morning all,
As of Friday, I’ve just put the finishing touches together on v0.1 of
my custom external MySQL authentication module. Hopefully soon, I will
be integrating it into the LDAP custom module so that you can have one
module for all forms of external auth (starting with just these two).

In the meantime I have something MUCH more important to work on, I need
users that are logged in on the website to be able to bypass RT
authentication.

All the user creation and information updating is dealt with in the
custom MySQL module, so I don’t want to pass any user information into
RT, but I do need the website to be able to tell RT: The user
has had his credentials authenticated and you should not prompt for any,
just load the user.

So far, I haven’t discovered how I should do this. Apache authentication
and directly applying WebExternalAuth is not a valid option because
Apache would still be prompting for credentials as the website does not
use apache authentication, it’s custom PHP authentication.

Also, there is code that is included whenever a page is loaded with a
logged-in user, if that would help.

Also, the website uses session-cookies to store authentication? Could RT
read these somehow, or could we combine the RT cookies with the website
cookies?

Help!
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Jesse_Vincent · February 11, 2008, 10:55am

he user.

So far, I haven’t discovered how I should do this. Apache
authentication
and directly applying WebExternalAuth is not a valid option because
Apache would still be prompting for credentials as the website does
not
use apache authentication, it’s custom PHP authentication.

Also, the website uses session-cookies to store authentication?
Could RT
read these somehow, or could we combine the RT cookies with the
website
cookies?

Can RT get at the php app’s cookies? What would the RT need to do to
validate the user’s info from the php side?

I’ve previously cooked up something for a client that:

* used client-side JS to turn a link from another system into an HTTP

POST to RT with the other system’s cookie
* used LWP and the cookie to do an HTTP GET against the other app.
* validated the credentials and wrote out an RT session

I can’t release the code I used due to the specific client contract,
but the technique should be generally applicable.

Mike_Peachey · February 11, 2008, 11:54am

Jesse Vincent wrote:

he user.

So far, I haven’t discovered how I should do this. Apache authentication
and directly applying WebExternalAuth is not a valid option because
Apache would still be prompting for credentials as the website does not
use apache authentication, it’s custom PHP authentication.

Also, the website uses session-cookies to store authentication? Could RT
read these somehow, or could we combine the RT cookies with the website
cookies?

Can RT get at the php app’s cookies? What would the RT need to do to
validate the user’s info from the php side?

I don’t see why not. RT is accessed by the same domain (domain/rt) and
then loaded into a frame.

As for what it would need to do, I’m not sure… there are a number of
possible ways to do it, but none seem sensible or secure or fast.

The website cookie currently stores a hashed loginID and a SessionID,
but it could be coded to put more in the cookie.

I’ve previously cooked up something for a client that:
* used client-side JS to turn a link from another system into an 
HTTP POST to RT with the other system’s cookie
* used LWP and the cookie to do an HTTP GET against the other app.
* validated the credentials and wrote out an RT session

Because the website is ours to mangle (well, it’s externally developed,
but they do what we tell them to) we should be able to do it all
server-side.

For example, we could try and get the website super-frame to do a
_POST to RT on load, but whether or not that would work or persist
through in-frame page changes I don’t know.

Alternatively, we might be able to get the PHP code to set an apache ENV
variable that RT could read, just like WebExternalAuth does (but obv not
a php variable because of RT running out of Perl - unless I write some
php for RT to execute?), but again I’m not sure how I’d pick that up in
RT, or how persistent the setting would be. AFAIK apache ENV variables
die at the end of the request.

I’m just really not sure where to go with this as there are so many
possible options, none of which are clear-cut on how to do them.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

Mike_Peachey · February 11, 2008, 12:23pm

Mike Peachey wrote:

Jesse Vincent wrote:

I think I might actually have a way forward with this. I have confirmed
that the RT should have access to the cookie, and the cookie stores a
loginID which is permanently unique and stored in the MySQL database
against the users userID.

I should, theoretically, be able to pull that loginID, check it
against the database entry to pull the userID and then log the user in
(BEFORE the autocreate callback).

I think I could do this all from autohandler, but I’m not sure how
secure it is to be running MySQL calls from autohandler…

/me continues to ponder options.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

Mike_Peachey · February 11, 2008, 1:44pm

Mike Peachey wrote:

Mike Peachey wrote:

Jesse Vincent wrote:

I think I might actually have a way forward with this. I have confirmed
that the RT should have access to the cookie, and the cookie stores a
loginID which is permanently unique and stored in the MySQL database
against the users userID.

I should, theoretically, be able to pull that loginID, check it
against the database entry to pull the userID and then log the user in
(BEFORE the autocreate callback).

I think I could do this all from autohandler, but I’m not sure how
secure it is to be running MySQL calls from autohandler…

/me continues to ponder options.

Update:

I’m doing it from within the autohandler Auth callback which already
contains code for custom MySQL authentication.

Prior to checking ifdef($user && pass), it will confirm the authenticity
of the cookie and the user it refers to, and if it’s good it will set a
$confirmedByCookie and defined the $user.

$user is then used as normal, but ifdef($confirmedByCookie) will
override $pass where necessary.

What I don’t know is where I should place the custom cookie checking
code that connects to the database, pulls and converts data etc. Should
it all be in the callback? Should I create a new function in
Web::Interface somewhere? Should I add a subroutine within the callback?
Should I add another callback containing the sub?

Where is the RIGHT place to put the code within RT’s design architecture?
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England