Need to address interoperability for SSO with other atlassian tools (Crowd Console, Confluence, etc). [#1943110]

It looks like currently we can:

Create a new crowd session/token (login to Crowd through Drupal).
Check whether a crowd token is active (to auto SSO login when a token has already been set)

but we do not:

Create a session and cookie that is compatible with other Atlassian tools. The cookie is not being set in a compatible way nor are the Crowd "validation factors" being set correctly. This means that a session started via Drupal will not be usable by non-Drupal tools that also connect to crowd (specifically the Crowd Console)
Full validate a crowd token. At the moment we only check if a Crowd token is "active", but we do not fully validate it (check against other "validation factors", such as remote IP), which seems to be a standard practice for other Atlassian tools

I suppose these may be 2 separate issues, but they are indeed related. I'm looking into this and could probably produce a patch at some point soon. Regardless it would be interesting to hear from an existing maintainer if any of these missing bits of functionality were perhaps actually by design?

Comment	File	Size	Author
#3	crowd-fix_sso_with_other_atlassian_tools-1943110-3.patch	4.1 KB	rjacobs
#3
#1	crowd-D6_fix_sso_with_other_atlassian_tools-1943110-1.patch	4.5 KB	rjacobs
#1
#1	crowd-D7_fix_sso_with_other_atlassian_tools-1943110-1.patch	4.49 KB	rjacobs
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

rjacobs CreditAttribution: rjacobs commented 14 March 2013 at 21:37

Status:

Active

» Needs work

File	Size
crowd-D7_fix_sso_with_other_atlassian_tools-1943110-1.patch	4.49 KB

crowd-D6_fix_sso_with_other_atlassian_tools-1943110-1.patch	4.5 KB

Alright, as I look at this I think it's going to be simpler to separate this into 2 issues. For now I have just been focusing on making it possible for Drupal to set and session and cookie that other Crowd apps (such as the Crowd Console) will honor. The mainly entails some changes to the way setcookie() is used, the way the cookie is named and the way validation factors are set in the authorize() service call. The notes at https://answers.atlassian.com/questions/123130/sso-between-confluence-an... were particularly helpful is sorting this out.

Patches are attached for D6 and D7.

Comment #2

rjacobs CreditAttribution: rjacobs commented 14 March 2013 at 21:49

Status:

Needs work

» Needs review

Note that the patches in #1 will also address the problem from #1698440: Special characters in usernames or passwords cause xml errors, so I marked that as a dup pointing to this issue.

Also note that these patches may not apply cleanly until the "super patches" from #1716078: Consolidate a common space and status for this integration effort are applied.

Comment #3

rjacobs CreditAttribution: rjacobs commented 15 March 2013 at 19:25

File	Size
crowd-fix_sso_with_other_atlassian_tools-1943110-3.patch	4.1 KB

This is just a quick re-roll to make sure this patch still applies cleanly after the modified patches being discussed in #1716078: Consolidate a common space and status for this integration effort are applied. Also, this is just for D7 as I think it's best to wait to post a D6 fix until something is committed for D7.