1
Copyright 2010 Canonical Ltd. This software is licensed under the
2
GNU Affero General Public License version 3 (see the file LICENSE).
4
= Single-Signon Workflow: Automatic Authorization =
6
For sites that are intended to look like an integrated part of
7
Canonical's single sign on system, we would like to avoid actively
8
asking the user to authenticate to the site.
10
As the user is likely to consider the sites to be part of a single
11
larger system, it just causes confusion.
13
First we will set up the helper view that lets us test the final
14
portion of the authentication process:
16
>>> from openid.consumer.consumer import Consumer
17
>>> from openid.fetchers import setDefaultFetcher
18
>>> from openid.store.memstore import MemoryStore
19
>>> from canonical.signon.testing.openidhelpers import (
20
... complete_from_browser, make_identifier_select_endpoint,
22
>>> setDefaultFetcher(PublisherFetcher())
24
Next we'll set up the trust root we're using to have its requests
25
automatically authorized:
27
>>> from identityprovider.models import OpenIDRPConfig
28
>>> rpconfig = OpenIDRPConfig.objects.create(
29
... trust_root='http://launchpad.dev/',
30
... displayname='Test RP', description='A test RP',
31
... auto_authorize=True)
33
If we are not logged in, automatically authorized sites act the same
34
as normal ones, and the user is presented with the login page:
36
>>> openid_store = MemoryStore()
37
>>> consumer = Consumer(session={}, store=openid_store)
38
>>> request = consumer.beginWithoutDiscovery(
39
... make_identifier_select_endpoint(PROTOCOL_URI))
41
>>> browser.open(request.redirectURL(
42
... 'http://launchpad.dev/', 'http://launchpad.dev/+openid-consumer'))
44
>>> print browser.title
47
When the user logs in, he will be directed back to the relying party without
48
requesting for authorization as the trust root has automatic authorization
51
>>> browser.getControl(name='email').value = 'mark@example.com'
52
>>> browser.getControl(name='password').value = 'test'
53
>>> browser.getControl(name='continue').click()
56
http://launchpad.dev/+openid-consumer?...
58
>>> info = complete_from_browser(
59
... consumer, browser, 'http://openid.launchpad.dev/+id/mark_oid')
62
>>> print info.endpoint.claimed_id
63
http://openid.launchpad.dev/+id/mark_oid
66
If the user is already logged in, he will be directed back to the
67
relying party immediately.
69
>>> request = consumer.beginWithoutDiscovery(
70
... make_identifier_select_endpoint(PROTOCOL_URI))
71
>>> browser.open(request.redirectURL(
72
... 'http://launchpad.dev/', 'http://launchpad.dev/+openid-consumer'))
75
http://launchpad.dev/+openid-consumer?...
77
>>> info = complete_from_browser(
78
... consumer, browser, 'http://openid.launchpad.dev/+id/mark_oid')
81
>>> print info.endpoint.claimed_id
82
http://openid.launchpad.dev/+id/mark_oid
88
>>> setDefaultFetcher(None)