the code in app/services/sso/apache.rb allows authentication of a user
based on some Apache module (mod_auth_*). The code in
app/services/sso/basic.rb calls User.try_to_login which in case the
user is not found in the database yet via find_by_login, cycles the
auth sources and tries to find the user there, authenticate, and then
creates the user with the appropriate AuthSource set.
I wonder what the expected behaviour should be for situations when
authorize_login_delegation is set and some Apache module authenticates
the user but the user hasn't been precreated in the database.
Currently the authentication fails.
Before preparing patch draft, I'd like to make sure I'm putting the
logic into the correct place. It seems like we'd need variant of
try_to_auto_create_user which would not require password (the user
has already been authenticated, possibly without a password in case
of for example GSSAPI) and would create the user.
For users authenticated via authorize_login_delegation, should they
be created with AuthSourceInternal or should I create something like
AuthSourceExternal? Also, should the auto-creation feature have yet
another configuration option in settings.yaml?
Of course, the authentication module would need to pass in the
attributes needed for the User object but my hope is that
module similar to
Thank you for any hints about the preferred place for the new logic to