Idea #12995
closed
[Workbench] Allow user to add a new Google account to their Arvados account
Added by Tom Morris almost 7 years ago.
Updated over 6 years ago.
Release relationship:
Auto
Description
Use case: A user has a new authentication (eg Google) account. User has previously logged in using some other authentication account (eg LDAP) and already has an Aravdos account. User wants to link their existing Arvados account to the new authentication account so that when they log in with the new authentication account, they are logged into their existing Arvados account.
Entry points¶
- User is logged in to Workbench using old authentication account, selects "link a new authentication method" from menu
- User attempts to log in using new authentication account, gets an inactive account page
- User attempts to log in using new authentication account, is logged into a new active empty account.
Flow for (1)¶
- On workbench, click on "link new auth method"
- Browser stashes the API token in session storage
- Browser is sent to api_server/logout?return_to=http://workbench/link_accounts
- Browser is logged out from API and SSO, and redirected to workbench link_accounts
- Workbench redirects browser to api_server/login?return_to=http://workbench/link_accounts
- User logs in and browser is sent back to workbench with &api_token=... of new Arvados account
- Workbench now has both API token of the old account (in session storage), and an api_token of the newly logged in account
- Browser determines which user account should be merged into the other (based on account creation time, whether it is "empty")
- Browser displays a confirmation page stating one account will be linked to the other
- Workbench sends request to API server to link one account to the other (#12626)
- Workbench uses the API token of the linked account, and presents the user with a "success" page
Flow for (2)¶
- User is at inactive user page. Text says "if you have logged in with a different account, click here to link your account"
- Do (1) starting from 2
Flow for (3)¶
- Same as (1) (workbench figures out which way the account linking goes)
- Description updated (diff)
- Related to Feature #12626: [API] Merge user accounts (redirect=true case) added
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Related to deleted (Feature #12626: [API] Merge user accounts (redirect=true case))
- Blocked by Feature #12626: [API] Merge user accounts (redirect=true case) added
- Description updated (diff)
- Target version changed from To Be Groomed to Arvados Future Sprints
- Target version changed from Arvados Future Sprints to 2018-05-09 Sprint
- Target version changed from 2018-05-09 Sprint to 2018-05-23 Sprint
- Assigned To set to Peter Amstutz
- Related to Idea #12703: [Workbench] Self serve account merge added
12995-wb-merge-acct @ 4aa2e9342254971e92b5836a56728015e9cfc714
Adds a /users/link_account page accessible from user menu and on the "inactive user" page.
- User can choose whether to add a login to the current account, or link the current login to another account
- When one of the accounts is inactive, can only merge the login of the inactive account to the active account
Manually tested:
- From existing user, select "Add another login to this account", login as the "new" user, then link accounts.
- From new, active user, select "Use this login to access another account", login as "old" user, then link accounts
- From new, inactive user, select "Use this login to access another account", login as "old" user, then link accounts.
No automated tests. The problem is, this process relies on the SSO server, which the run-tests.sh / workbench test environment doesn't provide. Hard to work around. Could possibly rig something up based on arvbox.
Also:
12995-session-timeout @ commit:21f2ee32fe8fc6391c95b5dcdb59d787629dceff branch on the sso-provider repository.
- Sets session timeout to 1 second so that users always have to log in (otherwise sessions mess up the "log in as a different user" part of the flow.)
- Maybe it would be convenient to add a date on the group name to avoid possible conflicts when the merge action fails after the group is created, or just reuse it.
- Using either direction, I get the api error: "supplied API token is not from a trusted client" - API Request URL: https://172.17.0.2:8000/arvados/v1/users/merge
- Tests done with arvbox
- After adding the trusted client setting, manual tests on both directions worked well.
- The first bulletpoint from note-16 may be a valid one, just in case there's some transient api server problem.
- Is there an explicit way for workbench to ask for the new sso-provider (package dependency)?
- Issues that may not be for this review but instead for the api server side:
- When linking an admin account into a non-admin account left me without admin access
- After linking account A into account B, and later on linking account B into account C, when try to login with account A, I get an error like this:
{"errors":["#<Exception: identity_url h793v-tpzed-f1svf5ts12yw4c3 redirects to nonexistent uuid 2bs4c-tpzed-2cx7fuz2l783jhi>"],"error_token":"1526663055+db8a355d"}
- After clicking any of the linking buttons, the next thing the user sees is a login dialog saying "Your session expired, please sign in again to continue." and I think it can be confusing, if this is not worth correcting on the SSO's side, maybe we could have a message on wb's link account page warning what will happen after clicking.
A→B + B→C = error during login
Can the merge API detect this when B→C is happening, and flatten the tree by changing A→B to A→C?
admin→non-admin
Yes, Workbench should warn if you're about to do this, but I suppose we might as well go ahead and do it if you accept/ignore the warning.
Lucas Di Pentima wrote:
- The first bulletpoint from note-16 may be a valid one, just in case there's some transient api server problem.
Added ensure_unique_name: true
- Is there an explicit way for workbench to ask for the new sso-provider (package dependency)?
No, there isn't.
- Issues that may not be for this review but instead for the api server side:
- When linking an admin account into a non-admin account left me without admin access
Fixed workbench so it detects that case and won't let you do that.
- After linking account A into account B, and later on linking account B into account C, when try to login with account A, I get an error like this:
{"errors":["#<Exception: identity_url h793v-tpzed-f1svf5ts12yw4c3 redirects to nonexistent uuid 2bs4c-tpzed-2cx7fuz2l783jhi>"],"error_token":"1526663055+db8a355d"}
This was an API server bug in following chained redirects. Fixed & added tests.
- After clicking any of the linking buttons, the next thing the user sees is a login dialog saying "Your session expired, please sign in again to continue." and I think it can be confusing, if this is not worth correcting on the SSO's side, maybe we could have a message on wb's link account page warning what will happen after clicking.
I noticed that too. I don't really want to mess with the SSO server too much. It might be possible to change the flow to have it go through the logout procedure and then immediately to the login procedure, which would also eliminate the need to upgrade SSO server.
Now @ 6237a718e292de02dc06c2885e4a96260616ce03
Still todo: add a documentation page.
12995-wb-merge-acct e2632a25d3aab230bdc44936fa42a3d27ff15d30
- Added username to the link accounts page to further disambiguate the two accounts being linked
- Added documentation pages
- Updated to use a login/logout flow instead of relying on session timeout. However, the SSO server still needs to be updated (see below)
12995-session-timeout 4ed380efb64d50a6c74defe74ffef08166f4f0c7
- Added a "choose" page when more than one provider is configured. Enables users to select between LDAP and Google.
Manually tested updates on both branches, providing that Jenkins' run goes well, LGTM. Thanks!
- Status changed from New to Resolved
Also available in: Atom
PDF