Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/docs/subsystems/auth.md

149 lines
6.4 KiB
Markdown
Raw Normal View History

docs: Update headings for development auth documentation. Also, we fix an outdated link from /devtools.
2018-08-21 21:52:28 +02:00
# Authentication in the development environment
This page documents special notes that are useful for configuring
Zulip's various authentication methods for testing in a development
environment.
## Testing OAuth in development
docs: Move docs on testing OAuth to their own page. In some minutes of searching yesterday afternoon on the docs site, I couldn't find docs on how to set up our OAuth integrations for the dev environment -- even though I was pretty sure they should be there somewhere, because I'd just been told that. Wasn't until I considered the problem fresh today, and grepped the docs source instead, that I found them. So, move them to a separate page so they're in the nav.
2017-11-02 21:05:21 +01:00
docs: Reduce the number of apparently broken links on github. - Updated 260+ links from ".html" to ".md" to reduce the number of issues reported about hyperlinks not working when viewing docs on Github. - Removed temporary workaround that suppressed all warnings reported by sphinx build for every link ending in ".html". Details: The recent upgrade to recommonmark==0.5.0 supports auto-converting ".md" links to ".html" so that the resulting HTML output is correct. Notice that links pointing to a heading i.e. "../filename.html#heading", were not updated because recommonmark does not auto-convert them. These links do not generate build warnings and do not cause any issues. However, there are about ~100 such links that might still get misreported as broken links. This will be a follow-up issue. Background: docs: pip upgrade recommonmark and CommonMark #13013 docs: Allow .md links between doc pages #11719 Fixes #11087.
2019-09-30 19:37:56 +02:00
Among the many [authentication methods](../production/authentication-methods.md)
docs: Move docs on testing OAuth to their own page. In some minutes of searching yesterday afternoon on the docs site, I couldn't find docs on how to set up our OAuth integrations for the dev environment -- even though I was pretty sure they should be there somewhere, because I'd just been told that. Wasn't until I considered the problem fresh today, and grepped the docs source instead, that I found them. So, move them to a separate page so they're in the nav.
2017-11-02 21:05:21 +01:00
we support, a server can be configured to allow users to sign in with
their Google accounts or GitHub accounts, using the OAuth protocol.
Because these authentication methods involve an interaction between
Zulip, an external service, and the user's browser, and particularly
because browsers can (rightly!) be picky about the identity of sites
you interact with, the preferred way to set them up in a development
environment is to set up the real Google and GitHub to process auth
requests for your development environment.
The steps to do this are a variation of the steps documented in
auth: Document setting social_auth_github_key in dev-secrets. This is a simpler configuration method for development, because dev_settings.py isn't something the developer can edit.
2019-06-07 13:26:04 +02:00
`prod_settings_template.py`. The main differences here are driven by
the fact that `dev_settings.py` is in Git, so it can be inconvenient
to put secrets there. In development, we allow providing those values
in the untracked file `zproject/dev-secrets.conf`, using the standard
lower-case naming convention for that file.
Here are the full procedures for dev:
docs: Move docs on testing OAuth to their own page. In some minutes of searching yesterday afternoon on the docs site, I couldn't find docs on how to set up our OAuth integrations for the dev environment -- even though I was pretty sure they should be there somewhere, because I'd just been told that. Wasn't until I considered the problem fresh today, and grepped the docs source instead, that I found them. So, move them to a separate page so they're in the nav.
2017-11-02 21:05:21 +01:00
### Google
docs/oauth: Update for Google UI changes, and for zulipdev.com. The control panel on the Google side doesn't seem to match the instructions we have; it looks pretty 2017 to me, so I imagine it's had a redesign since the instructions were written. Also, in dev, EXTERNAL_HOST is now a port on zulipdev.com, not on localhost. Update these instructions for those developments, and edit lightly. In dev, recommend setting in `dev_settings` instead of in `prod_settings_template`; that feels to me a little more reflective of the actual intent, and the effect should be equivalent.
2017-11-02 21:21:38 +01:00
* Visit https://console.developers.google.com and navigate to "APIs &
services" > "Credentials". Create a "Project" which will correspond
to your dev environment.
docs: Move docs on testing OAuth to their own page. In some minutes of searching yesterday afternoon on the docs site, I couldn't find docs on how to set up our OAuth integrations for the dev environment -- even though I was pretty sure they should be there somewhere, because I'd just been told that. Wasn't until I considered the problem fresh today, and grepped the docs source instead, that I found them. So, move them to a separate page so they're in the nav.
2017-11-02 21:05:21 +01:00
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
* Navigate to "APIs & services" > "Library", and find the "Identity
Toolkit API". Choose "Enable".
docs: Move docs on testing OAuth to their own page. In some minutes of searching yesterday afternoon on the docs site, I couldn't find docs on how to set up our OAuth integrations for the dev environment -- even though I was pretty sure they should be there somewhere, because I'd just been told that. Wasn't until I considered the problem fresh today, and grepped the docs source instead, that I found them. So, move them to a separate page so they're in the nav.
2017-11-02 21:05:21 +01:00
docs/oauth: Update for Google UI changes, and for zulipdev.com. The control panel on the Google side doesn't seem to match the instructions we have; it looks pretty 2017 to me, so I imagine it's had a redesign since the instructions were written. Also, in dev, EXTERNAL_HOST is now a port on zulipdev.com, not on localhost. Update these instructions for those developments, and edit lightly. In dev, recommend setting in `dev_settings` instead of in `prod_settings_template`; that feels to me a little more reflective of the actual intent, and the effect should be equivalent.
2017-11-02 21:21:38 +01:00
* Return to "Credentials", and select "Create credentials". Choose
"OAuth client ID", and follow prompts to create a consent screen, etc.
For "Authorized redirect URIs", fill in
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
`http://zulipdev.com:9991/complete/google/` .
docs: Move docs on testing OAuth to their own page. In some minutes of searching yesterday afternoon on the docs site, I couldn't find docs on how to set up our OAuth integrations for the dev environment -- even though I was pretty sure they should be there somewhere, because I'd just been told that. Wasn't until I considered the problem fresh today, and grepped the docs source instead, that I found them. So, move them to a separate page so they're in the nav.
2017-11-02 21:05:21 +01:00
docs/oauth: Update for Google UI changes, and for zulipdev.com. The control panel on the Google side doesn't seem to match the instructions we have; it looks pretty 2017 to me, so I imagine it's had a redesign since the instructions were written. Also, in dev, EXTERNAL_HOST is now a port on zulipdev.com, not on localhost. Update these instructions for those developments, and edit lightly. In dev, recommend setting in `dev_settings` instead of in `prod_settings_template`; that feels to me a little more reflective of the actual intent, and the effect should be equivalent.
2017-11-02 21:21:38 +01:00
* You should get a client ID and a client secret. Copy them. In
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
`dev-secrets.conf`, set `social_auth_google_key` to the client ID
and `social_auth_google_secret` to the client secret.
docs: Move docs on testing OAuth to their own page. In some minutes of searching yesterday afternoon on the docs site, I couldn't find docs on how to set up our OAuth integrations for the dev environment -- even though I was pretty sure they should be there somewhere, because I'd just been told that. Wasn't until I considered the problem fresh today, and grepped the docs source instead, that I found them. So, move them to a separate page so they're in the nav.
2017-11-02 21:05:21 +01:00
### GitHub
* Register an OAuth2 application with GitHub at one of
docs/oauth: Update for Google UI changes, and for zulipdev.com. The control panel on the Google side doesn't seem to match the instructions we have; it looks pretty 2017 to me, so I imagine it's had a redesign since the instructions were written. Also, in dev, EXTERNAL_HOST is now a port on zulipdev.com, not on localhost. Update these instructions for those developments, and edit lightly. In dev, recommend setting in `dev_settings` instead of in `prod_settings_template`; that feels to me a little more reflective of the actual intent, and the effect should be equivalent.
2017-11-02 21:21:38 +01:00
https://github.com/settings/developers or
https://github.com/organizations/ORGNAME/settings/developers.
Specify `http://zulipdev.com:9991/complete/github/` as the callback URL.
docs: Move docs on testing OAuth to their own page. In some minutes of searching yesterday afternoon on the docs site, I couldn't find docs on how to set up our OAuth integrations for the dev environment -- even though I was pretty sure they should be there somewhere, because I'd just been told that. Wasn't until I considered the problem fresh today, and grepped the docs source instead, that I found them. So, move them to a separate page so they're in the nav.
2017-11-02 21:05:21 +01:00
docs/oauth: Update for Google UI changes, and for zulipdev.com. The control panel on the Google side doesn't seem to match the instructions we have; it looks pretty 2017 to me, so I imagine it's had a redesign since the instructions were written. Also, in dev, EXTERNAL_HOST is now a port on zulipdev.com, not on localhost. Update these instructions for those developments, and edit lightly. In dev, recommend setting in `dev_settings` instead of in `prod_settings_template`; that feels to me a little more reflective of the actual intent, and the effect should be equivalent.
2017-11-02 21:21:38 +01:00
* You should get a page with settings for your new application,
auth: Document setting social_auth_github_key in dev-secrets. This is a simpler configuration method for development, because dev_settings.py isn't something the developer can edit.
2019-06-07 13:26:04 +02:00
showing a client ID and a client secret. In `dev-secrets.conf`, set
`social_auth_github_key` to the client ID and `social_auth_github_secret`
to the client secret.
docs: Add fake LDAP auth to subsystems/auth.md. Fixes #10297.
2018-08-18 05:11:19 +02:00
docs: Document nginx configuration for development SSL. This is a useful technique for developing OAuth integrations with Zulip.
2018-11-27 16:08:43 +01:00
### When SSL is required
Some OAuth providers (such as Facebook) require HTTPS on the callback
URL they post back to, which isn't supported directly by the Zulip
development environment. If you run a
docs: Reduce the number of apparently broken links on github. - Updated 260+ links from ".html" to ".md" to reduce the number of issues reported about hyperlinks not working when viewing docs on Github. - Removed temporary workaround that suppressed all warnings reported by sphinx build for every link ending in ".html". Details: The recent upgrade to recommonmark==0.5.0 supports auto-converting ".md" links to ".html" so that the resulting HTML output is correct. Notice that links pointing to a heading i.e. "../filename.html#heading", were not updated because recommonmark does not auto-convert them. These links do not generate build warnings and do not cause any issues. However, there are about ~100 such links that might still get misreported as broken links. This will be a follow-up issue. Background: docs: pip upgrade recommonmark and CommonMark #13013 docs: Allow .md links between doc pages #11719 Fixes #11087.
2019-09-30 19:37:56 +02:00
[remote Zulip development server](../development/remote.md), we have
docs: Document nginx configuration for development SSL. This is a useful technique for developing OAuth integrations with Zulip.
2018-11-27 16:08:43 +01:00
instructions for
Revert "docs: Update .html links to .md." This doesn't work without the CommonMark upgrade. This reverts commit c87893feeacaa78315ffc72510afe8e92477f4e8.
2019-04-06 02:58:44 +02:00
[an nginx reverse proxy with SSL](../development/remote.html#using-an-nginx-reverse-proxy)
docs: Document nginx configuration for development SSL. This is a useful technique for developing OAuth integrations with Zulip.
2018-11-27 16:08:43 +01:00
that you can use for your development efforts.
docs: Add fake LDAP auth to subsystems/auth.md. Fixes #10297.
2018-08-18 05:11:19 +02:00
## Testing LDAP in development
docs: Extend background discussion on LDAP integration.
2019-05-28 22:53:36 +02:00
Before Zulip 2.0, one of the more common classes of bug reports with
Zulip's authentication was users having trouble getting [LDAP
authentication](../production/authentication-methods.html#ldap-including-active-directory)
working. The root cause was because setting up a local LDAP server
for development was difficult, which meant most developers were unable
to work on fixing even simple issues with it.
docs: Add fake LDAP auth to subsystems/auth.md. Fixes #10297.
2018-08-18 05:11:19 +02:00
We solved this problem for our unit tests long ago by using the
popular [fakeldap](https://github.com/zulip/fakeldap) library. And in
2018, we added convenient support for using fakeldap in the Zulip
development environment as well, so that you can go through all the
actual flows for LDAP configuration.
- To enable fakeldap, set `FAKE_LDAP_MODE` in
`zproject/dev_settings.py` to one of the following options. For more
docs: Clean up documentation for fakeldap testing in development.
2018-09-27 22:30:29 +02:00
information on these modes, refer to
Revert "docs: Update .html links to .md." This doesn't work without the CommonMark upgrade. This reverts commit c87893feeacaa78315ffc72510afe8e92477f4e8.
2019-04-06 02:58:44 +02:00
[our production docs](../production/authentication-methods.html#ldap-including-active-directory):
docs: Add fake LDAP auth to subsystems/auth.md. Fixes #10297.
2018-08-18 05:11:19 +02:00
- `a`: If users' email addresses are in LDAP and used as username.
- `b`: If LDAP only has usernames but email addresses are of the form
username@example.com
- `c`: If LDAP usernames are completely unrelated to email addresses.
- To disable fakeldap, set `FAKE_LDAP_MODE` back to `None`.
- In all fakeldap configurations, users' fake LDAP passwords are equal
to their usernames (e.g. for `ldapuser1@zulip.com`, the password is
`ldapuser1`).
auth: Use different defaults for name and email for fakeldap. Fixes part of #10297. Use FAKE_LDAP_NUM_USERS which specifies the number of LDAP users instead of FAKE_LDAP_EXTRA_USERS which specified the number of extra users.
2018-08-18 02:35:19 +02:00
- `FAKE_LDAP_NUM_USERS` in `zproject/dev_settings.py` can be used to
specify the number of LDAP users to be added. The default value for
the number of LDAP users is 8.
settings: Configure LDAP avatar synchronization in dev environment. This should make it a lot more convenient to do manual testing of these common LDAP configuration options.
2019-06-17 22:11:29 +02:00
### Testing avatar and custom profile field synchronization
The fakeldap LDAP directories we use in the development environment
are generated by the code in `zerver/lib/dev_ldap_directory.py`, and
contain data one might want to sync, including avatars and custom
profile fields.
We also have configured `AUTH_LDAP_USER_ATTR_MAP` in
`zproject/dev_settings.py` to sync several of those fields. For
example:
* Modes `a` and `b` will set the user's avatar on account creation and
update it when `manage.py sync_ldap_user_data` is run.
* Mode `b` is configured to automatically have the `birthday` and
`Phone number` custom profile fields populated/synced.
* Mode `a` is configured to deactivate/reactivate users whose accounts
are disabled in LDAP when `manage.py sync_ldap_user_data` is run.
(Note that you'll likely need to edit
`zerver/lib/dev_ldap_directory.py` to ensure there are some accounts
configured to be disabled).
### Automated testing
For our automated tests, we generally configure custom LDAP data for
each individual test, because that generally means one can understand
exactly what data is being used in the test without looking at other
resources. It also gives us more freedom to edit the development
environment directory without worrying about tests.
docs: Merge two-factor-auth.md into auth.md. It's brief and really doesn't deserve its own article.
2019-10-07 21:10:18 +02:00
## Two Factor Authentication
Zulip uses [django-two-factor-auth][0] as a beta 2FA integration.
To enable 2FA, set `TWO_FACTOR_AUTHENTICATION_ENABLED` in settings to
`True`, then log into Zulip and add otp device from settings
page. Once the device is added, password based authentication will ask
for one-time-password. In the development environment., this
one-time-password will be printed to the console when you try to
login. Just copy-paste it into the form field to continue.
Direct development logins don't prompt for 2FA one-time-passwords, so
to test 2FA in development, make sure that you login using a
password. You can get the passwords for the default test users using
`./manage.py print_initial_password`.
[0]: https://github.com/Bouke/django-two-factor-auth