Em 30-06-2011 02:58, Marius Mårnes Mathiesen escreveu:
On Wed, Jun 29, 2011 at 6:44 PM, ejs <edseg...@gmail.com
<mailto:edseg...@gmail.com>> wrote:
I need to set up Gitorious with authentication via Crowd. I see that
there's a gitorious-crowd project hosted on gitorious.org
<http://gitorious.org>. It's a
branch of gitorious rather than a plugin. What's the status of this
branch? Can I just use it? If so, how do I configure it?
I haven't seen that project before - it doesn't seem to have any
commits yet?
From a more general perspective, I assume it's current as of mid- or
late-March 2011, when the last changes were made. How likely is it to
become an orphan?
Rodrigo (on the list) has been working on replacing our authentication
system with Devise, adding more authentication backends really need to
build on the work he's doing. Could be there's a plugin or equivalent
for Crowd in Devise?
Hi, here is the current status. My branch "devise-openid" is already
working with Devise and OpenID support. It's still missing an
integration test for OpenID and I'll organize the commits in 1 or 2 only
after an interactive rebase.
I'm thinking in using ROTS for this:
https://github.com/roman/rots
http://stackoverflow.com/questions/1488456/how-do-you-run-rots-in-a-rails-integration-test
But I don't think I'll get any free time to work on this before this
weekend since I'm in a hurry with my personal life lately...
But Devise 1.0 (which works with Rails 2 which is used by Gitorious
currently) is not supported by OmniAuth:
https://github.com/intridea/omniauth
As you see, OmniAuth doesn't support Crowd out-of-the-box, but there is
a separate backend here:
https://github.com/robdimarco/omniauth_crowd
But for this to work, we still need to migrate Gitorious to Rails 3,
which will probably take a while... After that we can update Devise to
the newest version and support OmniAuth and possibly omniauth_crowd.
I'm still a bit worried about security implications by using OpenID as I
was testing it and figured out it worked on localhost in my development
environment. This means that OpenID is able to work using HTTP redirects
without talking directly to each other. The security implications is
that it is probably trivial to issue a replay attack if you're behind a
proxy, for instance. I didn't investigate this enough for knowing how
hard would that be, but I used to think that necessarily both relying
partner and the OpenID provider would talk directly to each other...
I don't know about Crowd, but I think we should try to understand the
security implications of each authentication method Gitorious is
planning to support... Even if Gitorious decides to adopt some of them,
they should recommend to users some authentication systems that it
considers more secure or something like that...
Any thoughts?
--
To post to this group, send email to gitorious@googlegroups.com
To unsubscribe from this group, send email to
gitorious+unsubscr...@googlegroups.com
