#362 openid,login: utilize actual username when logged using email
Opened 12 days ago by ttomecek. Modified 5 days ago
ttomecek/ipsilon fix358  into  master

@@ -212,8 +212,11 @@ 

              return self._template('openid/consent_form.html', **context)


      def _response(self, request, session):

-         user = session.get_user()

-         identity_url = self.cfg.identity_url_template % {'username': user.name}

+         # we could use `session.get_user().name` here but when authenticated

+         # via email, .name corresponds to email instead of an actual username

+         # https://pagure.io/ipsilon/issue/358

+         userattrs = session.get_user_attrs()

+         identity_url = self.cfg.identity_url_template % {'username': userattrs['_username']}

          response = request.answer(



file modified
@@ -21,6 +21,7 @@ 

              self._userdata = dict()


              self._userdata = self._get_user_data(username)

+             # username can be an email, https://pagure.io/ipsilon/issue/358

              self.name = username


      def _get_user_data(self, username):

Fixes: https://pagure.io/ipsilon/issue/358

I welcome guidance regarding testing since I'm not entirely sure how ipsilon obtains all the FAS data.

@simo Could you please take a look too?

Is this behavior specific to Fedora infrastructure?

Sounds like this should be a configurable ...

I don't mind making it configurable although it seems that current behavior breaks openid endpoint expectations given the client logs an error:

Discovery verification failure for http://ttomecek@redhat.com.id.fedoraproject.org/

so please let me know how should I proceed

So the question is whether _username is always available.
Tracing through the code it requires a module to call the auth_successful function to pass in the user name, this is what my grep shows:
ipsilon/login/authfas.py: return self.lm.auth_successful(self.trans,
ipsilon/login/authform.py: return self.lm.auth_successful(self.trans, user.name, 'password')
ipsilon/login/authgssapi.py: return self.lm.auth_successful(trans, self.user.name,
ipsilon/login/authldap.py: return self.lm.auth_successful(self.trans, username, 'password',
ipsilon/login/authpam.py: return self.lm.auth_successful(
ipsilon/login/authtest.py: return self.lm.auth_successful(self.trans,

These are all the login plugins, so it should be guaranteed ?
If we are confident that's the case I actually see no issue with this patch