LDAP & PAM added to OAuth password grant strategy #12390

ntl-purism · 2019-11-15T16:31:23Z

Resolves #7999

When authenticating via OAuth, the resource owner password grant
strategy is allowed by Mastodon, but (without this PR), it does not
attempt to authenticate against LDAP or PAM. As a result, LDAP or PAM
authenticated users cannot sign in to Mastodon with their
email/password credentials via OAuth (for instance, for native/mobile
app users).

This PR fleshes out the authentication strategy supplied to doorkeeper
in its initializer by looking up the user with LDAP and/or PAM when
devise is configured to use LDAP/PAM backends. It attempts to follow the
same logic as the Auth::SessionsController for handling email/password
credentials.

Note #1: Since this pull request affects an initializer, it's unclear
how to add test automation.

Note #2: The PAM authentication path has not been manually tested. It
was added for completeness sake, and it is hoped that it can be manually
tested before merging.

When authenticating via OAuth, the resource owner password grant strategy is allowed by Mastodon, but (without this PR), it does not attempt to authenticate against LDAP or PAM. As a result, LDAP or PAM authenticated users cannot sign in to Mastodon with their email/password credentials via OAuth (for instance, for native/mobile app users). This PR fleshes out the authentication strategy supplied to doorkeeper in its initializer by looking up the user with LDAP and/or PAM when devise is configured to use LDAP/PAM backends. It attempts to follow the same logic as the Auth::SessionsController for handling email/password credentials. Note mastodon#1: Since this pull request affects an initializer, it's unclear how to add test automation. Note mastodon#2: The PAM authentication path has not been manually tested. It was added for completeness sake, and it is hoped that it can be manually tested before merging.

ntl · 2019-11-25T21:04:14Z

Yay! The tests pass now!

…stodon#12390) When authenticating via OAuth, the resource owner password grant strategy is allowed by Mastodon, but (without this PR), it does not attempt to authenticate against LDAP or PAM. As a result, LDAP or PAM authenticated users cannot sign in to Mastodon with their email/password credentials via OAuth (for instance, for native/mobile app users). This PR fleshes out the authentication strategy supplied to doorkeeper in its initializer by looking up the user with LDAP and/or PAM when devise is configured to use LDAP/PAM backends. It attempts to follow the same logic as the Auth::SessionsController for handling email/password credentials. Note #1: Since this pull request affects an initializer, it's unclear how to add test automation. Note #2: The PAM authentication path has not been manually tested. It was added for completeness sake, and it is hoped that it can be manually tested before merging.

ntl-purism force-pushed the master branch 2 times, most recently from ad7a16f to 4754cd9 Compare November 15, 2019 16:43

ntl-purism force-pushed the master branch from 4754cd9 to dfb3492 Compare November 25, 2019 20:41

Gargron approved these changes Nov 30, 2019

View reviewed changes

Gargron merged commit f3a9398 into mastodon:master Nov 30, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LDAP & PAM added to OAuth password grant strategy #12390

LDAP & PAM added to OAuth password grant strategy #12390

ntl-purism commented Nov 15, 2019

ntl commented Nov 25, 2019

LDAP & PAM added to OAuth password grant strategy #12390

LDAP & PAM added to OAuth password grant strategy #12390

Conversation

ntl-purism commented Nov 15, 2019

ntl commented Nov 25, 2019