Page MenuHomePhabricator
Create Task
Maniphest T10785

Allow custom third-party auth providers to implement autologin
Closed, ResolvedPublic
Actions

Description

We currently use a custom auth provider (and will switch once T814 is completed) to allow login with Kerberos. Users expect transparent login support like all other services we provide.
When only a single auth provider enabled for login it would be nice if it were transparent (and got automatically selected) rather than requiring the user to press a button.

Revisions and Commits

rP Phabricator
D16060rPe1a9473eda04 Make auth provider autologin modular and implement it for all OAuth2 adapters

Related Objects

Event Timeline

eadler created this task.Apr 12 2016, 6:23 PM
eadler updated the task description. (Show Details)
epriestley added a subscriber: epriestley.Apr 12 2016, 6:30 PM

Very minor technical note: we can't support this for all providers. The username + password, LDAP, and I think Persona (although see T10125) providers can't initiate a login flow with a redirect (since the user has to type stuff or do javascriptey things, not just navigate to a URI).

All of the OAuth-esque providers can support it, though.

eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 17 2016, 6:24 PM
chsfuture added a subscriber: chsfuture.May 26 2016, 2:59 AM
chsfuture removed a subscriber: chsfuture.May 26 2016, 3:02 AM
kaya added a subscriber: kaya.May 26 2016, 3:16 AM
eadler renamed this task from Support auto-login on all auth providers to Support auto-login on all auth providers that can reasonably support it..Jun 6 2016, 4:18 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
epriestley renamed this task from Support auto-login on all auth providers that can reasonably support it. to Allow custom third-party auth providers to implement autologin.Jun 6 2016, 8:01 PM
epriestley added a project: Prioritized.

I'm going to support third-party (as here) and OAuth2 (easy) but we have no use cases for other stuff right now (mostly OAuth1 on Twitter/Jira/Bitbucket, I think).

eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jun 6 2016, 8:09 PM
epriestley added a revision: D16060: Make auth provider autologin modular and implement it for all OAuth2 adapters.Jun 6 2016, 8:13 PM
epriestley added a comment.Jun 6 2016, 8:14 PM

Here's the new AuthProvider code for OAuth2 autologin after D16060:

public function supportsAutoLogin() {
  return true;
}

public function getAutoLoginURI(AphrontRequest $request) {
  $csrf_code = $this->getAuthCSRFCode($request);

  $adapter = $this->getAdapter();
  $adapter->setState($csrf_code);

  return $adapter->getAuthenticateURI();
}

I'd expect Kerberos to be similar, although likely with a simpler getAutoLoginURI() method.

epriestley claimed this task.Jun 6 2016, 8:15 PM
epriestley triaged this task as Normal priority.
Herald added a subscriber: faulconbridge. · View Herald TranscriptJun 6 2016, 8:15 PM
epriestley moved this task from Backlog to Paused on the Prioritized board.Jun 6 2016, 8:32 PM
epriestley added a commit: rPe1a9473eda04: Make auth provider autologin modular and implement it for all OAuth2 adapters.Jun 6 2016, 9:33 PM
epriestley closed this task as Resolved.Jul 2 2016, 3:13 PM

The upstream part of this is working in production, and this is now accounted for.

Phabricator · Built by Phacility