[Rt-commit] rt branch, 5.0/disable-password-for-auth-token-config, repushed
Jim Brandt
jbrandt at bestpractical.com
Mon Dec 21 17:04:05 EST 2020
The branch 5.0/disable-password-for-auth-token-config was deleted and repushed:
was 8df779384a1814b759639b102fc741aafa28c3a2
now b148f34f9e3ccc32dba18181ee031497aecd3804
-: ------- > 1: 8b6872cfe1 Align "Time to display" in footer
1: 9b90fbeac1 ! 2: c466142ae3 Add option to disable password prompt when creating tokens
@@ -1,10 +1,13 @@
Author: Aaron Trevena <ast at bestpractical.com>
- Add config option to disable password for auth tokens
+ Add option to disable password prompt when creating tokens
- Added and documented new configuration option to not require a password
- when adding a new auth token, this solves problems with requiring a password
- in a hybrid RT where both external and local accounts are used.
+ If RT allows both local RT auth and federated auth, we
+ can't automatically determine when to supress the password
+ prompt during token creation. RT can't run a password check
+ against a federated auth system, so users can be blocked from
+ creating tokens. Provide an option to allow admins to explicitly
+ omit the password check to prevent this.
diff --git a/docs/authentication.pod b/docs/authentication.pod
--- a/docs/authentication.pod
@@ -13,43 +16,35 @@
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
-+
-+If you have a mix of local and external authentication you can disable
-+requiring a password to create tokens with the following line in
-+C<RT_SiteConfig.pm>:
-+
-+ Set($DisablePasswordForAuthToken, 1);
-+
-+
- You can find more information about tokens in L<RT::Authen::Token>.
+-You can find more information about tokens in L<RT::Authen::Token>.
++Since tokens grant access on behalf of a user, RT prompts for a password
++when a user is creating a token. However, if you have a mix of RT and
++federated authentication, RT can't authenticate users via the federated
++password system. For this case, you can explicitly disable the password
++check with the C<$DisablePasswordForAuthToken> configuration option.
=head1 External Authentication
+
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@
-
- Set($MinimumPasswordLength, 5);
+ are not in LDAP can still be created when they email in.
+ See L<RT::Authen::ExternalAuth> for details.
+=item C<$DisablePasswordForAuthToken>
+
-+If you have a mix of local and external authentication you can disable
-+requiring a password to create tokens with the following line in
-+C<etc/RT_SiteConfig.pm>. You can find more information about tokens in
-+L<RT::Authen::Token>.
++If you have a mix of RT and federated authentication, RT can't directly
++verify a user's password against the federated IdP. You can explicitly
++disable the password prompt when creating a token by setting this option
++to true (1).
+
- =back
-
- =head3 External Authentication and Authorization
-@@
-
=back
+=cut
+
+Set($DisablePasswordForAuthToken, 0);
-+
=head2 Initialdata Formats
2: 5b53164822 = 3: 27e2eeb6a1 Switch to Obfuscate callback for $DatabasePassword/$LDAPPassword configs
3: 8df779384a = 4: b148f34f9e Remove special handling of password like core variables on configuration page
More information about the rt-commit
mailing list