MantisBT

View Issue Details Jump to Notes ] Wiki ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0011219mantisbtauthenticationpublic2009-11-26 17:192010-09-21 03:38
Reporteroberger 
Assigned To 
PrioritynormalSeverityfeatureReproducibilityhave not tried
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0011219: Provide OAuth inter-application authentication "tokens" mechanism
DescriptionOAuth is a protocol which describes (AFAICT) a way for an application to act on another application with specific privileges as granted by a user.

Supporting OAuth in Mantis may allow third party "clients" to connect to Mantis in order to retrieve/create/modify bugs in the name of a Mantis user, and depending on privileges that this user may have granted for this particular application.

More details at http://oauth.net/ [^]
TagsNo tags attached.
Attached Files

- Relationships
related to 0004235assignedgrangeway Support Generic Authentication through Plug-ins 
related to 0011063new Support OSLC-CM API to ease integration with ALM platforms 

-  Notes
User avatar (0024231)
oberger (reporter)
2010-01-24 12:36

This may be also linked to 0004235
User avatar (0024338)
dhx (developer)
2010-02-07 08:05

A decent introduction to what is possible with OAuth: http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-ii-protocol-workflow/ [^]

This is no easy undertaking. I imagine we'd first have to implement proper access control into MantisBT like RBAC (role based access control). We'd also need to provide administrators the ability to limit the ability for users to create new accounts and what permissions those accounts can have. OAuth would then sit on top of that core MantisBT functionality providing the interface with external systems?
User avatar (0024401)
oberger (reporter)
2010-02-17 02:35

We do intend to implement an OAuth "plugin" for Mantis (as part of the OSLC-CM REST API implementation support) that would allow to use OAuth for connecting to Mantis on behalf of a Mantis user.

It will be used for REST calls first, but may become generic enough to be used for other connections to Mantis, then.

It will make use of SimpleSAMLphp code most probably, for the protocol implementation.

It will add a few elements to the DB to manage Consumer identification, token requests, autjorizations, etc. and the related UI screens for admins and users to manage these.

If there was an access control infrastructure for Mantis, it may be coupled, but since then, it will just validate that a Consumer is acting on behalf of a user, and then just replace the auth and id phase.
User avatar (0025431)
oberger (reporter)
2010-05-06 12:49

I have implemented the first bits of a Mantis plugin that supports some OAuth endpoints using the PHP OAuth library (and not(yet) SimpleSAMLPhp as previously mentioned).

It is not yet complete, but interested people may have a look at the SVN repo at : http://heliosplatform.svn.sourceforge.net/viewvc/heliosplatform/mantis-oslccm/trunk/mantisbt-oauth-plugin/OauthAuthz/ [^]

Enjoy !
User avatar (0025445)
oberger (reporter)
2010-05-10 05:06

Here's a first release :
http://sourceforge.net/projects/heliosplatform/files/MantisBt/mantisbt-oauthplugin-0.5.tar.gz/download [^]

Tests and feedback much welcome.
User avatar (0025449)
dhx (developer)
2010-05-10 12:05

Firstly, this is a fantastic idea and you've obviously dedicated a lot of time and effort to implementing OAuth into MantisBT.

When I get some more free time I'd be interested in helping to improve this plugin via testing, writing code, reading specs, etc.

I've had a quick browse through the code and the following are a few comments I have so far:

1) MantisBtDbOAuthDataStore::new_token is insecure because it uses an easily predictable PRNG. It'd be better to use the new crypto_api functions in MantisBT 1.3.x for generating nonces. Ref 0010730. If Zend OAuth can create nonces for you then it is probably preferable to use the library implementation... unless it too is insecure :)

2) I think we need to implement a better way of throwing exceptions that allows us to show translated error messages to the user. I'm not sure if this should be in the form of "throw new SomethingException( lang_get( 'ERROR_SOMETHING' ) )" or a more elaborate alternative.

3) Try to avoid SELECT * in queries. It's usually recommended that queries specifically select the required columns from a table. The reason is that if you add a column to one of the tables in the future, you don't want to return this new information if it won't get used.


Great start so far! :)
User avatar (0025482)
oberger (reporter)
2010-05-12 03:47

@dhx: You'll be very much welcome to help ;) Thanks for the review. I'll try and add a few responses :

1) good point. In any case, there are also issues with DOS in terms of security if depending from some RNG methods too... so I'd better not reinvent the wheel here, and use Mantis standard mechanism. +1 for the TODO

2) the errors/exceptions mechanism was not really though of, so yes, that may be improved in a great way. +1 too

3) Again, here, it was a bit quick and dirty, and there may be better ways to do it. +1 too

Regarding the code in general, I'd like to reorganize it so that there's some more objects and a separate DB store, so that there can be some reuse for other PHP apps. I'm particularly thinking about FusionForge, so, having proper MVC/layers separation would allow the reuse of the same classes for both, wile the UI of the plugins would be implemented in different ways, and the backends using each PDO.
I'll try and improve that for the nex iteration.

Thanks again for your comments and support :-)
User avatar (0025499)
oberger (reporter)
2010-05-14 05:38

Here's a new version : https://sourceforge.net/projects/heliosplatform/files/MantisBt/mantisbt-oauthplugin-0.6.tar.gz/download [^]

I've reworked the DB access code to put it into a single file, in order to be able to reuse much of the code for other PHP web apps that would have a different DB access system/PDO.

The errors should be a little bit better handled and there much more comments/auto-docs
User avatar (0025624)
oberger (reporter)
2010-05-29 10:22

Note that we're succesfully using it now for our OSLC-CM V1 REST server (0011063).

Still it misses control over specific permissions associated to the access tokens to allow controling which operations a Consumer is authorized to do on behalf of a user and which not.

At the moment, we use auth_attempt_script_login() in order to start a user's session, and that seems quite operational.
User avatar (0026498)
bretrzaun (reporter)
2010-08-29 08:47

Any plans in integration OAuth into Mantis core ?
Creating third party applications for Mantis would be so much easier.
User avatar (0026510)
oberger (reporter)
2010-08-30 01:47

I'm not sure to whom the question is adked, but in any case, I'm sorry to say that it's unlikely I'll have some free time to work on this in the coming month, so I'd be happy to hand it over to anyone interested to continue th work. Everything is committed in our repo... just follow the links above.
User avatar (0026805)
oberger (reporter)
2010-09-20 10:17

In case of doubt, this plugin provides an OAuth provider auth mecanism.
User avatar (0026825)
oberger (reporter)
2010-09-21 03:38

The code is now available in Git at : http://git.mantisforge.org/w/mantisbt/helios.git?a=tree;f=plugins/OauthAuthz;hb=OauthAuthz [^]

- Issue History
Date Modified Username Field Change
2009-11-26 17:19 oberger New Issue
2010-01-24 01:56 vboctor Relationship added related to 0011063
2010-01-24 12:36 oberger Note Added: 0024231
2010-01-25 23:01 vboctor Status new => acknowledged
2010-02-07 07:40 dhx Relationship added related to 0004235
2010-02-07 08:05 dhx Note Added: 0024338
2010-02-17 02:35 oberger Note Added: 0024401
2010-05-06 12:49 oberger Note Added: 0025431
2010-05-10 05:06 oberger Note Added: 0025445
2010-05-10 12:05 dhx Note Added: 0025449
2010-05-12 03:47 oberger Note Added: 0025482
2010-05-14 05:38 oberger Note Added: 0025499
2010-05-29 10:22 oberger Note Added: 0025624
2010-08-29 08:47 bretrzaun Note Added: 0026498
2010-08-30 01:47 oberger Note Added: 0026510
2010-09-20 10:17 oberger Note Added: 0026805
2010-09-21 03:38 oberger Note Added: 0026825


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0923 seconds.
memory usage: 3,024 KB
Powered by Mantis Bugtracker