Idea #12995
Updated by Lucas Di Pentima about 6 years ago
* As I understood, the basic idea is to make a self-served version of what’s described on: https://doc.arvados.org/admin/change-account-owner.html
* The user being logged in with the old google account presses a button named something like “Link to a different login account”, maybe from the “Manage profile” section at workbench
* The user is then sent into a login flow with a different @?return_to=@ url param, used to indicate to workbench that the operation is about changing login accounts.
** (Maybe instead of sending the user to the API’s @/login@ url, we would need a different endpoint?
* SSO related stuff should return the @identity_url@
* Somewhere in between there’s a user lookup or creation using the identity_url. This should be replaced and instead the @identity_url@ be passed to workbench, maybe as part of the @return_to@ url
* Workbench checks there’s an existing account with that @identity_url@ (is that an operation allowed by a normal user?)
** If yes but inactive, hijack the @identity_url@ and email address
** If yes, but active: ask the user
** If no: replace the current one with the new one.
* Affected modules:
** Workbench
** API
** (maybe?) SSO