-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ontoportal SSO feature #26
Comments
Hi @manuelfiorelli, can you please give more details of how it works, and what is needed to make it work? |
The implementation of single sign-on (SSO) in EcoPortal relies on the OAuth 2.0 and OpenID Connect standards. The current deployment in a development environment uses Keycloak as the actual identity and access management software that implements both standards, playing the role of the authorization server. Both the web UI and and the API were modeled in the authorization server as client, each with its own set of client credentials:
In EcoPortal, we externalized authentication and login management to the authorization server, while keeping the internal user management and api key to avoid disrupting the architecture. After the login phase, most of EcoPortal runs unmodified. By first, SSO must be enabled, by setting the global variable
If SSO is enabled, the login procedure changes slightly. If you look at Upon login, the After performing some security checks (including validating some nonces to avoid some common attacks), the callback implementation uses the authorization code to request (in a backend channell) an access token for the web UI client. This access token is then used to invoke the If SSO is enabled, the implementation of the endpoint
After checking that this token was signed by the EcoPortal authorization server, the API can do a few checks on its own, including that the token is temporally valid and intended to be consumed by the API (in addition to the user interface). If all these checks pass, the the API knows that the authorization server authenticated the users and authorized the user to access the API. Indeed, without checking the audience, the user could have requested a token for a different service, and then have used to access the API. Beyond login, the 'Oauth2Controller` also implements RP-initialed logout, so that one a users logs out from EcoPortal it closes also the session in the authorization server. |
Hi @manuelfiorelli, thanks for this detailed explanation. So If I understood well,
On the UI side, you used this package https://github.com/nov/openid_connect (to contact the Authorization server) I think the implementation is good, and that we can integrate to Agroprotal (@jonquet). But in the condition that it is generalized to work with multiple Authorization servers (identity providers), Self-hosted organizational authorization servers, Github, and ORCID. So do you think @manuelfiorelli, that you can update it (easily) to make it work with the multiple authorization servers (in priority for Github) |
@jvendetti if we make it work for Github, do you have any requirements and/or remarks to give us; regarding your parallel work on GitHub request changes? |
This will be my opinion too. |
When I generate a GitHub issue from the Rails application, I'm interested in some way to know if the logged in user has a GitHub account name. The idea is that the body of the GitHub issue could incorporate their GitHub account name with GitHub's mention syntax, e.g., something like:
We're interested in using the mention syntax so that we can take advantage of GitHub's built-in notifications. Currently we output the BioPortal account name in issue bodies, but the GitHub account name would be preferable: Please let me know if you'd like any additional details. |
Close as done in https://github.com/ontoportal-lirmm/bioportal_web_ui/releases/tag/v2.7.0, discussion about merging it to the main Ontoportal branch will be discussed here #37 |
Context
We are working currently at Agroportal with Ecoportal to align our two codebases; which means resting extracting reusable features from both codebases and sharing them with Ontoportal.
For example, EcoPortal developed an administration panel for groups and categories (to add, edit and delete them) that we extracted from Ecoportal and integrated into Agroprtal (and soonly shared with Ontoportal, see ontoportal-lirmm/bioportal_web_ui#237)
In that context, we also discovered that EcoPortal implemented an SSO implementation, which we think can be a great contribution to Ontoportal.
This implementation includes those changes:
bearer_token
for authentification lifewatch-eric/ontologies_api_ruby_client#3The developer of this is @manuelfiorelli from the Ecoportal team.
The text was updated successfully, but these errors were encountered: