Opened 3 years ago

Closed 3 years ago

Last modified 22 months ago

#33561 closed New feature (fixed)

Allow syncing user attributes on every authentication with RemoteUserBackend.

Reported by: Adrian Torres Owned by: Adrian Torres
Component: contrib.auth Version: dev
Severity: Normal Keywords: RemoteUserBackend
Cc: Florian Apolloner Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If using a custom RemoteUserBackend, it is possible to want to synchronize any changes from the remote system back into the Django user records whenever authentication happens.

Currently, if any user attributes change in the remote system there is no easy way to reflect these changes back into the users in the Django system.

The goal of this feature is to introduce a new method in the django.contrib.auth.backends.RemoteUserBackend class called synchronize_user with a method signature equal to that of configure_user (which it complements) that will be called in the authenticate method of said class right after fetching the user from the database (if any), regardless of whether the user was unknown and created or otherwise.

Implementors can then override this method and implement data synchronization between the remote user and the Django user that will be applied on every user authentication attempt.

Change History (11)

comment:1 by Adrian Torres, 3 years ago

Has patch: set

comment:2 by Adrian Torres, 3 years ago

Owner: changed from Adrian Torres to Adrian Torres

comment:3 by Mariusz Felisiak, 3 years ago

Resolution: wontfix
Status: assignedclosed

Thanks for this ticket, however I don't see a strong reason for a new hook, you can achieve the same by overriding authenticate(), e.g.

class CustomRemoteUserBackend(RemoteUserBackend):
    def authenticate(self, request, remote_user):
        user = super().authenticate(request, remote_user):
        return self.synchronize_user(user)

    def synchronize_user(self, user):
        ...

You can raise the idea on the DevelopersMailingList if you don't agree, to reach a wider audience and see what other think (see also triaging guidelines with regards to wontfix tickets).

comment:4 by Adrian Torres, 3 years ago

Sure, but in my implementation the synchronization is done right before calling user_can_authenticate whose output can change due to the synchronization.

Is it really necessary to start a new thread in the mailing list to have the patch be reconsidered?

Cheers,
Adrian

comment:5 by Florian Apolloner, 3 years ago

I think this would be a nice improvement. For one the suggested workaround does not work -- authentication checks could be done based on the assigned groups of the user which need to synchronized before authenticate calls into user_can_authenticate and not afterwards… This can be really useful with proxies like Authelia which sends along the following headers: Remote-User, Remote-Groups, Remote-Name, Remote-Email

Given that this is security related I rather see us providing a hook at the proper place than having users patch around this. I am not sure I agree with the patch though, we already do have configure_user and it feels like we should just pass a boolean to that with the information if the user was just created or not (and move it around in code accordingly).

@Mariusz I was hesitant to reopen and accept the ticket after you have closed it, but I think it would be useful to support this (also I want to check if trc sends mail properly now :D)

comment:6 by Florian Apolloner, 3 years ago

Cc: Florian Apolloner added

comment:7 by Mariusz Felisiak, 3 years ago

Has patch: unset
Resolution: wontfix
Status: closednew
Summary: Synchronize user attributes on every authentication with RemoteUserBackendAllow syncing user attributes on every authentication with RemoteUserBackend.
Triage Stage: UnreviewedAccepted

Agreed, it sounds reasonable to add created=False to the configure_user() signature and call configure_user(request, user, created=False) when user already exists.

django-developers discussion

comment:8 by Adrian Torres, 3 years ago

Has patch: set
Version 0, edited 3 years ago by Adrian Torres (next)

comment:9 by Mariusz Felisiak, 3 years ago

Status: newassigned
Triage Stage: AcceptedReady for checkin

comment:10 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

Resolution: fixed
Status: assignedclosed

In d90e34c:

Fixed #33561 -- Allowed synchronization of user attributes in RemoteUserBackend.

comment:11 by Mariusz Felisiak <felisiak.mariusz@…>, 22 months ago

In ba082e0:

Refs #33561 -- Made created=True required in signature of RemoteUserBackend.configure_user() subclasses.

Per deprecation timeline.

Note: See TracTickets for help on using tickets.
Back to Top