Openid connect -> main #3353
Openid connect -> main #3353
Conversation
There was a problem hiding this comment.
I wonder if you should hold off here until you've got the dashboard Keycloak package and hooks integrated? This will break the dashboard until that's done. But maybe that's OK ... ❔ 👀
In any case, there seem to be a few empty files, and a few other possible problems ...
npalaska
force-pushed
the
openid-connect
branch
from
2d0b2f8 to
508f3a4
Compare
There was a problem hiding this comment.
Coming along nicely.
The new parameter for the _decode() function looks like it shouldn't be optional/None, and it should be specified in the new calls.
The name of the ODIC client in the Pbench realm should be something more generic than pbench-dashboard...unless we're planning on configuring custom clients for all of our programmatic users....
Other than those, my new comments are just nits and small stuff.
There are a couple of comments from my previous reviews which you missed or need attention:
- Docstring update.
- Dashboard error handling.
- The
Usertable delete function. - The
"username"column in the Alembic migration code.
npalaska
force-pushed
the
openid-connect
branch
from
508f3a4 to
c662a02
Compare
npalaska
force-pushed
the
openid-connect
branch
2 times, most recently
from
e19fd2c to
1866d5f
Compare
…ibuted-system-analysis#3241) Remove hyphen from openid-connect section of the endpoints API - Getting rid of the excess quotes and brackets would make this easier to read - It also makes it easier to reference in Dashboard javascript code when there is no hyphen involved (endpoints.openid instead of endpoints['openid-connect'])
…m-analysis#3239) * Remove unused userinfo and online token validation - Removes the get_userinfo functionality from the auth module - Removes the online token validation capability from the server - OIDC token validation will only happen locally PBENCH-1074
…tem-analysis#3243) Update the keycloak.sh to not create a private client. Instead of creating a private pbench-server-client, it now creates pbench-dashboard public client.
…uted-system-analysis#3249) Use of OIDC configuration in the server unit test as default. We have decided to keep the internal Users table for the purpose of quick user lookup and logging. However, unlike the current Users table, there won't be any user credentials stored in the internal database. To facilitate this transition we have to update the User table and active tokens table. This will break all the unit tests because of the way they are set up right now. Currently, we update the active tokens table when we create a new JWT token in the unit test and update the respective user table relationship. And validation of the token depends on it being available in the active tokens table. This change is to use OIDC configuration in the unit tests and start using RS256 to encode and decode the JWT tokens (using OIDC token introspection). And remove the active tokens dependency from the unit tests. PBENCH-1079
* Use OIDC user for the functional test Functional tests should move to using OIDC tokens by making an Admin REST API request to the OIDC server (Keycloak) directly as the server won't be providing Register/Login capabilities on its endpoints. - Create a new scope in the Keycloak to add OIDC client name in aud claim (required for the authentication) - Functional test user registration happens directly with the OIDC server using the Admin token - Functional test user makes a REST API call to get the OIDC token PBENCH-1070
Enable OIDC redirect in the dashboard PBENCH-1072
* Rework the User table
Rework involves the following things:
1. Modifications to the User table:
- Drop the password column
- Drop the auth_tokens relationship (will be later replaced with API keys table)
- Add a column to keep track of OIDC_IDs of the user
- Add the user relationship to the Datasets and Metadata table
2. Removed the user API
3. Changes to the user_management_cli file:
- Kept only list users functionality.
PBENCH-1080
…distributed-system-analysis#3250) * Dashboard integration with keycloak - New dependency added @react-keycloak/web and keycloak-js - Checks the SSO session by wrapping the entire App inside KeycloakProvider. - Removed the current use of login and registration related components. - Removed all the changes and files that got void after this authentication change. - Also ran prettier on the entire src directory. PBENCH-1073
npalaska
force-pushed
the
openid-connect
branch
from
a993450 to
be35713
Compare
| dispatch( | ||
| showToast(DANGER, msg ? msg : `Error response: ERROR_MSG`) | ||
| ); | ||
| dispatch(showToast(DANGER, msg ? msg : `Error response: ERROR_MSG`)); |
There was a problem hiding this comment.
No need to change this unless you have other changes to make, but a recent change from Varshini brought to light the fact that we have alternatives to the use of the ternary operator, here. For instance, either || or ?? might be nicer.
dispatch(showToast(DANGER, msg || `Error response: ERROR_MSG`));(?? will use the default message if msg is undefined; || will use the default message if msg is an empty string; but using either of them allows us to avoid the second reference to msg...just some more items for our Javascript toolboxes....)
There was a problem hiding this comment.
Okay, I don't have any blocking changes outstanding in this PR now so I'll defer it in another PR.
lib/pbench/server/database/alembic/versions/f628657bed56_user_table_update_oidc.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
This looks good to go.
I found two more nits after the earlier one that GitHub helpfully posted before I I was ready, and there's one more which I think I called out before but cannot find the comment for...but none of these need to gate the merge of this PR.
| @@ -312,6 +312,10 @@ def commit(self): | |||
| property has been set, "fail" by raising the exception. Otherwise, | |||
| mock a commit by updating any cached "committed" values if the "known" | |||
| proxy objects have changed, and record any new "added" objects. | |||
|
|
|||
| Commit operation now also support delete, however, note that deletes | |||
There was a problem hiding this comment.
You're missing an s, somewhere in that line. 😉
There was a problem hiding this comment.
Sigh! I'll fix it in the next PR.
| export const sessionLogout = () => async (dispatch, getState) => { | ||
| const keycloak = getState().apiEndpoint.keycloak; | ||
| keycloak.logout(); | ||
| clearCachedSession(dispatch); | ||
| }; |
There was a problem hiding this comment.
In general, I don't think that there is a requirement for a thunk to be an async function (although, if the function is not async, then there's a question as to why it needs to be called via dispatch() instead of being invoked directly, but that's neither here nor there...).
Beyond that, I don't see anything in the body of this function which requires the function to be declared async.
So, I think (if, e.g., you needed to make an edit for some other reason), you can drop the async from here.
There was a problem hiding this comment.
Yeah in this PR I just sort of followed how the functions were written already in this file without giving a lot of thought to javascript async operations (which I now have a better understanding of than before I started working on #3233 and #3250). But if this is not a blocking change then I'll defer to my next dashboard PR (Removal of the user profile page).
npalaska
force-pushed
the
openid-connect
branch
from
be35713 to
6374bdd
Compare
Since we have now cut a deployment branch that's
0.72, its time to bring the changes from theopenid-connectbranch on the main and sync with the main.