Giters

openstax / accounts

OpenStax centralized authentication and accounts service

Home Page:https://accounts.openstax.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Investigate SSO authentication impact to ApplicationUser clients

jpslav opened this issue · comments

commented

Description

This is a tech impact investigation that is Accounts-centric with a potential impact to OSWeb.

The timing of the investigation is at Michael's discretion based on his initial review of it.

Accounts keeps track of ApplicationUsers. In the past, when you logged in to Exercises, Tutor, OSWeb, etc, you went through an OAuth flow back-and-forth with Accounts. As part of this flow, Accounts stored an ApplicationUser record in its database for each app that you logged in from. E.g. the first time that Johnny student logs in to Tutor, Accounts would make an ApplicationUser record that says “Johnny is a Tutor user”. Accounts has an API for retrieving these application users. I think that this API is used by OSWeb to determine if a user is a Tutor user and if so to show a Tutor link in the OSWeb user dropdown in the upper right corner.

With the current transition to single sign on authentication, I believe we will no longer be able to make these ApplicationUser records (because we won’t be doing the formal OAuth flow wherein Accounts knows that a login request is coming from Tutor). Which means that the users of the ApplicationUser records may not be able count on that functionality in the future.

So the investigation is to figure out if these things I think are true are in fact true and if so to make a plan to handle these changes.

Checklist for Done

1A-DEFINE

  • Description is complete
  • High-level natural language acceptance tests are complete
  • If the issue is included in a product phase, then Release is selected.

2A-NON CODE

  • The work is completed and satisfies the acceptance tests.
commented

Well from memory I think:

  • /api/user which I think is what OS Web etc use should still work.
  • ApplicationUsers will no longer be created.
    • Syncing profile info will break (app is not allowed to read your accounts profile and not allowed to update it). If you need the user info for backend stuff we will need to think of something.
    • Frontend can just keep reading the SSO cookie or calling /api/user and link users to Accounts to update their profile.
commented

@Dantemss - when we needed to get user data for use on the backend, we used the SSO cookie. You can see an example of that here: https://github.com/openstax/openstax-cms/blob/master/oxauth/views.py#L19-L40

It was a bear to get it working and it's a bit finicky if things change on accounts (like with the Rails 5 upgrade).

commented

Hm sure that works in a view but in a background job for example, or when an admin/teacher views another user's name you wouldn't have the cookie to read. Unless you store the info while they visit to use later or something like that.

commented

Investigation complete, closing this and creating a new card: https://app.zenhub.com/workspaces/openstax-bit-5bacfe3f4b5806bc2bea3764/issues/openstax/business-intel/704

ZenHub
Project Management and Software Development with GitHub | ZenHub