Use more descriptive session mode names #738
Conversation
| // SessionModeAuthenticate is used when the session is for user authentication. | ||
| SessionModeAuthenticate = "auth" | ||
| // SessionModeChangePassword is used when the session is for changing the user password. | ||
| SessionModeChangePassword = "passwd" |
There was a problem hiding this comment.
I think at this point we should also rename this into "change-password", being the command line of the runner (and please also update pam/Hacking.md accordingly.
It may require regenerate some golden files I think... But that's a minor thing (do this change in a following commit, in case).
There was a problem hiding this comment.
I think at this point we should also rename this into "change-password"
I would love to do that, but this string is part of the API between authd and the broker, so it would be a breaking change.
There was a problem hiding this comment.
I think we can take the risk and have the brokers for now have a newName || "passwd", wdyt?
There was a problem hiding this comment.
Well, that's an option, but for what I meant, was the one in use by the runner... Adding an extra const in case.
There was a problem hiding this comment.
I think we can take the risk and have the brokers for now have a newName || "passwd", wdyt?
I don't see how we can do that. The session mode is passed from authd to the broker in the NewSession call. Current broker versions don't know about a "change-password" session mode, so they will break if they receive a call from authd which uses that.
What we could do is to keep using "passwd" in authd and start supporting both "change-password" and "passwd" in the next broker release. Then once all broker installations have been updated, we can start using "change-password" in authd in the following release.
There was a problem hiding this comment.
What we could do is to keep using "passwd" in authd and start supporting both "change-password" and "passwd" in the next broker release. Then once all broker installations have been updated, we can start using "change-password" in authd in the following release.
Sorry if that was unclear, but was I was shortly suggesting. Doing a transition with brokers supporting new and old syntax until people migrate.
There was a problem hiding this comment.
Implemented in ubuntu/authd-oidc-brokers#324
There was a problem hiding this comment.
I'm not particularly in love on changing what's on the wire... Also because it would likely imply changes to gdm too, making the transition harder (we'd need to cross dependencies and so on...).
So, I wouldn't really change what's the string value or the proto ID for it, while using better naming anyways (you can still add another go file to the proto folder that does CHANGE_PASSWORD = PASSWD.
There was a problem hiding this comment.
Also because it would likely imply changes to gdm too
Oh, where are the session mode names being used in GDM?
There was a problem hiding this comment.
And is there currently no dependency between authd and gdm? What's the plan when we really need to make changes to the protocol?
internal/brokers/auth/consts.go
Outdated
| // SessionModePasswd is the name of the passwd session. | ||
| SessionModePasswd = "passwd" | ||
| // SessionModeAuthenticate is used when the session is for user authentication. | ||
| SessionModeAuthenticate = "auth" |
There was a problem hiding this comment.
Maybe for the same spirit, this should be SessionModeLogin? Since it does both authentication and session initialization...
adombeck
force-pushed
the
more-descriptive-session-modes
branch
from
f213b36 to
caa3d4d
Compare
* PASSWD -> CHANGE_PASSWORD: Session mode PASSWD is ambiguous, because authentication includes password authentication. CHANGE_PASSWORD should be clearer. * AUTH -> LOGIN: We also authenticate the user when the session mode is CHANGE_PASSWORD. LOGIN makes it clear that the session is for logging the user in.
adombeck
force-pushed
the
more-descriptive-session-modes
branch
from
caa3d4d to
d42e0a2
Compare
Session mode
PASSWDis ambiguous, because authentication includes password authentication.CHANGE_PASSWORDshould be clearer.This also changes session mode
AUTHtoAUTHENTICATEso that we use a verb (which describes the purpose of the session) for both session modes.