Dynamic authenticator with external authentication service

#1

Hi,

i have the following situation: I’m using a dynamic ticket based authenticator (directly loaded as worker in crossbar) for authentication. The authenticator module itself uses an external ticket authentication service that is already there.

Now in the authenticate method in my crossbar worker i take the realm, the authid and the token. To be able to authenticate the external authentication service i do a short case differentiation: if the authid and the token match those of the external service, then i authenticate it by assign it the correct role “auth-service”. If the authid does not match the one of the external authentication service, then i call the external service.

Now the problem is when i reach the line that calls the external service it is not executed or at least the external service is never called. To eliminate the external service as an error source instead i assign a default role to the caller e.g. “user”. Unfortunately the role is never returned.

From the crossbar log i can determine that the branch in the code is executed but the returned role never reaches my client. Same goes for the client, it gets the challenge and sends its credentials to the authenticate procedure and the credentials reach the authenticate endpoint. It does not matter which role i try to assign to my client, the client never gets a response from crossbar. As client i use a slightly modified version of the client from the official examples.

I already tried the things obvious to me (checking code for correct formatting, tried various roles and user credentials, …). Know i’ve run out of ideas. Hopefully you can help me.

Here is a snippet from my code:

check if peer is external authentication service

if authid == “auth-service”:

if token == “secret-token”:

return “auth-service” # <— works fine, no problems

otherwise check the external authentication service

else:

print(‘user authentication process’)

if token == ‘secret’:

print(‘got token’) # <— logged on the console, so branch is executed

return settings.CLIENT_DEFAULT_ROLE # <— not executed or at least response does not reach the client

``

0 Likes

#2

Hi,

Just a random thought; are you using @inlineCallbacks or yield in this section of code?

… i’ve found mismatching @inlineCallbacks and “yield” can sometime result in completely “silent” failure, which can be very confusing until the errant line of code makes itself known …

···

On Monday, 18 January 2016 16:04:48 UTC, sieben tupel wrote:

Hi,

i have the following situation: I’m using a dynamic ticket based authenticator (directly loaded as worker in crossbar) for authentication. The authenticator module itself uses an external ticket authentication service that is already there.

Now in the authenticate method in my crossbar worker i take the realm, the authid and the token. To be able to authenticate the external authentication service i do a short case differentiation: if the authid and the token match those of the external service, then i authenticate it by assign it the correct role “auth-service”. If the authid does not match the one of the external authentication service, then i call the external service.

Now the problem is when i reach the line that calls the external service it is not executed or at least the external service is never called. To eliminate the external service as an error source instead i assign a default role to the caller e.g. “user”. Unfortunately the role is never returned.

From the crossbar log i can determine that the branch in the code is executed but the returned role never reaches my client. Same goes for the client, it gets the challenge and sends its credentials to the authenticate procedure and the credentials reach the authenticate endpoint. It does not matter which role i try to assign to my client, the client never gets a response from crossbar. As client i use a slightly modified version of the client from the official examples.

I already tried the things obvious to me (checking code for correct formatting, tried various roles and user credentials, …). Know i’ve run out of ideas. Hopefully you can help me.

Here is a snippet from my code:

check if peer is external authentication service

if authid == “auth-service”:

if token == “secret-token”:

return “auth-service” # <— works fine, no problems

otherwise check the external authentication service

else:

print(‘user authentication process’)

if token == ‘secret’:

print(‘got token’) # <— logged on the console, so branch is executed

return settings.CLIENT_DEFAULT_ROLE # <— not executed or at least response does not reach the client

``

0 Likes

#3

Hi Gareth,

thank you very much. I made a mistake exactly around that and as I’m new to twisted of cause i didn’t find it.

cheers mo

0 Likes