• last updated 18 hours ago
Constraints: committers
Constraints: files
Constraints: dates
In case the user used an external_registry for login, we have to allow the redirect to a complete url

External identity provider reform (part 2)

Use the external identity provider for refresh of logins. When a user

is logged in via an external identity provider, use the same identity

provider for a refresh when it expires. The expiration time is

controlled via the classical OpenACS parameters.

Note that in general, the same user might be authenticated via a

classical OpenACS authority (e.g. local authority) and/or via an

external one (e.g. Microsoft Identity Platform (Azure) or GitHub).

For single-sign-ons, when the token is still valid, the redirect to

the external identity provider does not mean necessarily that the use

is shown the external identity provider's login page.

  1. … 3 more files in changeset.
improve spelling

  1. … 4 more files in changeset.
Specify the empty value correctly in the authentication form fields

fixes for Oracle 19c

  1. … 5 more files in changeset.
Remove backward compatibility check in busy code for versions before 5.1.3 (2004)

The checks for backwards compatibility have on busy sites the highest

hit rates of all entries in the util-memoize cache. Since we require the latest

OpenACS 5.9.* for upgrade to 5.10, this can be removed (17 years later).


Comment deprecated proc, which was before defined as private, because of a false positive in acs-api-browser.callgraph__bad_library_calls: the "Authenticate" operation in the spec of auth::authentication::create_contract is mistakenly interpreted as the deprecated proc

Make proc public, as was intended

Deprecated trivial private ad_user_login wrapper, which is already a public api

  1. … 1 more file in changeset.
Promote logics in auth::authentication::Authenticate to a public api, which unfortunately cannot be the same due to the inconsistent naming, hence we have to create a new alias


- the proc provides some value to the user by choosing the right contract implementation depending on the authority

- we found occurrences in other packages downstream, and as internally this proc is calling only public api, one could just duplicate the whole thing and be compliant with our standards, which is not an improvement IMO

- the proc was already tested and documented

  1. … 2 more files in changeset.
Mark 'auth::can_admin_system_without_authority_p' as public, as it is used in 'acs-admin'

Make 'auth::get_register_authority' public, as it is used by acs-subsite

Make 'auth::verify_account_status' public, as it is used in other packages. Fixes 'callgraph__bad_page_calls' test case

Use the new 'url' and 'email' input type widgets

  1. … 1 more file in changeset.
Port of downstream logic: do not use a hardcoded list of local authorities, but rather check if the authority implementation is local, which would handle also other downstream local authorities

Rework the idiom to perform cheap checks first and improve documentation

Fix var name

Creating a user without a username is possible if the authority is local, include the test authority among those for which we generate a username, as it is also local as in "hosted locally"

Fixes acs-authentication.auth_use_email_for_login_p automated test

Make api public, complies with acs-api-browser.graph__bad_calls automated test

  1. … 2 more files in changeset.
whitespace changes

don't rely on uppercase header field names

  1. … 10 more files in changeset.
prefer db_0or1row +"where exists" over db_string + "select case"

  1. … 3 more files in changeset.
Improve sql portability: oracle cannot select a boolean directly using exists

mprove spelling: move closer to the linux documentation recommendations

  1. … 21 more files in changeset.
Replace deprecated idiom

break overlong lines

Replace deprecated idiom

Improve documentation

Fix typo in message key

  1. … 4 more files in changeset.
Fix typo in message key

  1. … 4 more files in changeset.
No need for ad_decode and also no need to count all swas, we just want to know if there is one