txJSON-RPC

Add support for auth tokens

Bug #488918 reported by Duncan McGreggor on 2009-11-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	txJSON-RPC	In Progress	Medium	Duncan McGreggor	txJSON-RPC 0.3

Bug Description

We want to be able to support a simple login and logout use case with both the txJSON-RPC Proxy as well as generic jsonrpc proxies. The first step in this direction is supporting an auth token mechanism.

Generic jsonrpc proxy/client use case:

* When a user sends a request to login, they supply a username and password
* The JSON-RPC server responds to an unsuccessful login request by raising an exception
* The JSON-RPC server responds to a successful login request by sending an auth token
* Subsequent requests to protected resources may be made without username or password by sending the auth token in a query string, e.g.: ?auth-token=XXX

txJSON-RPC Proxy use case:

* When a user sends a request to login, they supply a username and password
* The JSON-RPC server responds to an unsuccessful login request by raising an exception
* The JSON-RPC server responds to a successful login request by setting the X-Auth-Token header in the response
* The Proxy instance automatically parses this header, and all subsequent requests that don't have a username and password are automatically sent with the X-Auth-Token header set

Some of the implementation needs to happen at the top-level Site object, so we may want to subclass twisted.web.server.Site in txJSON-RPC.

Duncan McGreggor (oubiwann) on 2009-11-26

Changed in txjsonrpc:
assignee:	nobody → Duncan McGreggor (oubiwann)
importance:	Undecided → Medium
milestone:	none → 0.3
status:	New → In Progress

Revision history for this message

Sergey Kotov (sergey-kotov) wrote on 2009-11-27:

I am try to write some code ^))

And has collision as I wrote before.
How to capture auth_token from request in twisted authentification?
Because if we send BasicAuth header to server -- twisted auth must check it, another side checker will be rejected request.

Another problem is:
if we inherit from tw.web.server.Site to implement sessionstate issue, we must change tw.web.server.request.getSession method because it handle session by coockie.
But if we do it -- we can use standart tw.web.server.Session class.

Please clarify me: We create new QueryAuthProtocol class, who send login request on first call or not?

Revision history for this message

Sergey Kotov (sergey-kotov) wrote on 2009-12-09:

I am in lock-up.
I commited example and implementation. But it doesn't work.
Please see lp:~sergey-kotov/txjsonrpc/488918

Revision history for this message

Duncan McGreggor (oubiwann) wrote on 2009-12-09:

Hey Sergey,

I will try to get some time to look at this... works' been crazy lately (I put in an 18-hour work day yesterday, trying to debug issues with cloud support...)

Revision history for this message

Sergey Kotov (sergey-kotov) wrote on 2009-12-09: Re: [Bug 488918] Re: Add support for auth tokens

I wish you rest :)
and got good weekend

2009/12/9 Duncan McGreggor <email address hidden>

> Hey Sergey,
>
> I will try to get some time to look at this... works' been crazy lately
> (I put in an 18-hour work day yesterday, trying to debug issues with
> cloud support...)
>
> --
> Add support for auth tokens
> https://bugs.launchpad.net/bugs/488918
> You received this bug notification because you are subscribed to txJSON-
> RPC.
>
> Status in txJSON-RPC: JSON-RPC for Twisted: In Progress
>
> Bug description:
> We want to be able to support a simple login and logout use case with both
> the txJSON-RPC Proxy as well as generic jsonrpc proxies. The first step in
> this direction is supporting an auth token mechanism.
>
> Generic jsonrpc proxy/client use case:
>
> * When a user sends a request to login, they supply a username and
> password
> * The JSON-RPC server responds to an unsuccessful login request by raising
> an exception
> * The JSON-RPC server responds to a successful login request by sending an
> auth token
> * Subsequent requests to protected resources may be made without username
> or password by sending the auth token in a query string, e.g.:
> ?auth-token=XXX
>
> txJSON-RPC Proxy use case:
>
> * When a user sends a request to login, they supply a username and
> password
> * The JSON-RPC server responds to an unsuccessful login request by raising
> an exception
> * The JSON-RPC server responds to a successful login request by setting
> the X-Auth-Token header in the response
> * The Proxy instance automatically parses this header, and all subsequent
> requests that don't have a username and password are automatically sent with
> the X-Auth-Token header set
>
> Some of the implementation needs to happen at the top-level Site object, so
> we may want to subclass twisted.web.server.Site in txJSON-RPC.
>
>
>

--
best regards
Sergey Kotov

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related blueprints

Support sessions in txJSON-RPC

Remote bug watches

Bug watches keep track of this bug in other bug trackers.