[QGIS-Developer] Auth-config and single sign-on with Windows login
Alessandro Pasotti
apasotti at gmail.com
Wed Nov 20 08:24:22 PST 2019
On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <a.neumann at carto.net> wrote:
> Hi Jürgen,
>
> I wouldn't know how this works. When I create a new PG connection, it
> forces me to add a username and password. I can't create a new connection
> without specifying one. Even if the Windows password manager already knows
> my windows credentials, which are the same as the PG credentials. As a
> "stupid user" I would either expect:
>
> - not being asked for credentials (means that QGIS would automagically
> forward the Windows credentials)
>
What if your DNS has been poisoned to hit evil.hacker.com instead? Would
you still want your credentials to be automatically sent?
- or when creating a new auth-conf, having a choice like "use windows
> credentials" and then not being asked for username/password, because QGIS
> already knows it from Windows.
>
I don't get this point: when you enter you credentials in the OS wallet
(password manager) it does not leak them to QGIS, or that would be another
huge security hole.
But maybe I am just not correctly handling it.
>
> The one thing I noticed is that the Windows password manager automatically
> loads the master password of the QGIS password manager. So that one seems
> to work.
>
>
That's the currently supported way to manage credentials: you store them
into the encrypted QGIS auth DB and (optionally) store the master password
in your OS wallet.
In any event, the QGIS auth system is plugin based (C++ plugins) and
other/custom auth methods could be developed if needed.
Cheers
--
Alessandro Pasotti
w3: www.itopen.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20191120/42822c5c/attachment.html>
More information about the QGIS-Developer
mailing list