DRYD-1242: Implement OAuth authorization code grant flow for sign in. #189
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportPatch coverage is 📢 Thoughts on this report? Let us know!. |
ray-lee
force-pushed
the
auth-code-login-flow
branch
from
63b8cb8
to
ecef118
Compare
ray-lee
changed the title
ray-lee
force-pushed
the
auth-code-login-flow
branch
from
ecef118
to
fde926a
Compare
ray-lee
changed the title
This replaces the password grant flow.
ray-lee
force-pushed
the
auth-code-login-flow
branch
from
fde926a
to
234838c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this do?
This utilizes the OAuth authorization code grant flow for sign in, instead of the password grant flow. As a consequence, this application is no longer responsible for authentication, and no longer accepts the user's email and password. Instead, authentication is delegated to the services layer, and the UI is only responsible for authorizing itself as an OAuth client.
Since the services layer now needs a minimal UI to allow users to log in, log out, and reset their password, the build now produces an additional compiled module, cspaceUI-service.js. This module implements a small app that can be displayed by the services layer to handle the above functionality.
Why are we doing this? (with JIRA link)
Upgrading Spring Security in the services layer removed support for the password code grant (which is no longer in the latest versions of OAuth). This also makes it easier to add new forms of user authentication in the future (e.g SSO, two-factor). Since user authentication is now decoupled from client authorization, new authentication schemes can be added only by changing the services layer, and clients can remain unchanged.
JIRA: https://collectionspace.atlassian.net/browse/DRYD-1242
How should this be tested? Do these changes have associated tests?
Login and logout from a CSpace 8.0 server should work. The login page in the UI should now only show a button that opens the login page in the services layer. After logging in, the browser should redirect back to the UI. Clicking the logout link should now open the logout page in the services layer, and logging out from there should redirect back to the UI.
Some unit tests haven't been written yet. These will be in a future PR.
Dependencies for merging? Releasing to production?
This should only be released with an 8.0 services layer.
Has the application documentation been updated for these changes?
I will add documentation about the login flow to the developer documentation in a future PR.
Did someone actually run this code to verify it works?
@ray-lee ran this locally.