Project

General

Profile

Workbench authentication process » History » Version 1

Peter Amstutz, 11/14/2014 09:29 PM

1 1 Peter Amstutz
h1. Workbench authentication process
2
3
# When the user goes to workbench, it checks for a session cookie or @?api_token=xxx@ on the URL to get the API token.  If no API token is found, the user is directed to the workbench "welcome" page.
4
# The "welcome" page has a "log in" button that directs the user to the API server login URL, with a @?return_to=xxx@ link embedded in the URL.
5
# The 'login' endpoint goes to @UserSessionsController#login@ in the API server.  This redirects to @/auth/joshid?return_to=xxx@
6
# @/auth/joshid@ is intercepted by the OmniAuth Rack middleware and invokes the @joshid@ OmniAuth strategy.
7
# The @josh_id@ OmniAuth strategy is implemented in @arvados/services/api/lib/josh_id.rb@ and is a subclass of @OmniAuth::Strategies::OAuth2@
8
# 
9
10
h2. Questions
11
12
* What is workbench's "secret_token" for?