https://dev.arvados.org/https://dev.arvados.org/favicon.ico?15576888422015-01-07T16:10:55ZArvadosArvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=197062015-01-07T16:10:55ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Proposed flow for workbench:</p>
<ol>
<li>Workbench login button sends browser directly to SSO for sign in (no redirects via API server)</li>
<li>SSO server performs log in, and redirects the user back to workbench with authorization code</li>
<li>Workbench gets browser request with authorization code
<ol>
<li>Workbench sends login request with authorization code to API server</li>
</ol>
</li>
<li>API server gets workbench request with authorization code
<ol>
<li>API server sends authorization code to SSO for validation</li>
</ol>
</li>
<li>SSO gets request with authorization code from API
<ol>
<li>SSO validates user identity and responds to API</li>
</ol>
</li>
<li>API gets response from SSO
<ol>
<li>API server finds/creates user for associated SSO</li>
<li>API server creates new API token and responds to workbench</li>
</ol>
</li>
<li>Workbench gets API token and puts it in the browser session
<ol>
<li>Respond to browser by loading the desired page</li>
</ol></li>
</ol> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=197072015-01-07T16:18:22ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Proposed flow for browser based apps that talk to API server directly:</p>
<ol>
<li>Login button sends browser directly to SSO for sign in (no redirects via API server)</li>
<li>SSO server performs log in, and redirects the user back to browser app with authorization code</li>
<li>Browser app sends login request with authorization code to API server</li>
<li>API server gets browser app request with authorization code
<ol>
<li>API server sends authorization code to SSO for validation</li>
</ol>
</li>
<li>SSO gets request with authorization code from API
<ol>
<li>SSO validates user identity and responds to API</li>
</ol>
</li>
<li>API gets response from SSO
<ol>
<li>API server finds/creates user for associated SSO</li>
<li>API server creates new API token and responds to browser app</li>
</ol>
</li>
<li>Browser app gets API token and possibly puts it in local storage
<ol>
<li>Browser proceeds to use API token to communicate with API server directly</li>
</ol></li>
</ol> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=197082015-01-07T16:19:36ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Subject</strong> changed from <i>Workbench uses OAuth2 instead of custom login flow</i> to <i>Arvados web apps use OAuth2 instead of custom login flow</i></li></ul> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=197092015-01-07T16:28:10ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/19709/diff?detail_id=18772">diff</a>)</li></ul> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=197172015-01-07T18:13:43ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Also, OAuth2 specifies that the Authorization header using access tokens is "Authorization: Bearer XYZ" (<a class="external" href="https://tools.ietf.org/html/rfc6750">https://tools.ietf.org/html/rfc6750</a>) not "Authorization: OAuth2 XYZ" (which we use now)</p> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=197192015-01-07T18:19:15ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/19719/diff?detail_id=18781">diff</a>)</li></ul> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=197202015-01-07T18:20:19ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/19720/diff?detail_id=18782">diff</a>)</li></ul> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=197212015-01-07T18:20:49ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/19721/diff?detail_id=18783">diff</a>)</li></ul> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=202282015-01-20T19:34:11ZTom Cleggtom@curii.com
<ul><li><strong>Subject</strong> changed from <i>Arvados web apps use OAuth2 instead of custom login flow</i> to <i>[API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanism</i></li><li><strong>Story points</strong> set to <i>2.0</i></li></ul> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=202292015-01-20T19:34:33ZTom Cleggtom@curii.com
<ul><li><strong>Target version</strong> set to <i>Arvados Future Sprints</i></li></ul> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=950762021-07-07T18:31:05ZWard Vandewegeward@curii.com
<ul><li><strong>Target version</strong> deleted (<del><i>Arvados Future Sprints</i></del>)</li></ul> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=1123162023-02-14T22:25:02ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Release</strong> set to <i>60</i></li></ul> Arvados - Idea #4919: [API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanismhttps://dev.arvados.org/issues/4919?journal_id=1236662024-03-01T21:16:36ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Target version</strong> set to <i>Future</i></li></ul>