Workbench authentication process » History » Revision 13

« Previous | Revision 13/26 (diff) | Next »
Peter Amstutz, 11/17/2014 07:24 PM

Workbench authentication process

  1. In workbench, when the user goes to a page, it checks for a session or ?api_token=xxx in the URL for the API token. If no API token is found, the user is directed to the workbench "welcome" page.
  2. In workbench, the "welcome" page has a "log in" button that directs the user to the API server login URL, with a ?return_to=xxx link embedded in the URL.
  3. In API server, the 'login' endpoint goes to UserSessionsController#login in the API server. This redirects to /auth/joshid?return_to=xxx
  4. In API server, /auth/joshid is intercepted by the OmniAuth Rack middleware and invokes the josh_id OmniAuth strategy.
    1. The josh_id OmniAuth strategy is implemented in arvados/services/api/lib/josh_id.rb and is a subclass of OmniAuth::Strategies::OAuth2
    2. OmniAuth starts the "request_phase" of OmniAuth::Strategies::OAuth2. This redirects to #{options[:custom_provider_url]}/auth/josh_id/authorize using CUSTOM_PROVIDER_URL defined in arvados/services/api/config/initializers/omniauth.rb
  5. In sso-provider, /auth/josh_id is routed to AuthController#authorize, and is intercepted by before_filter :authenticate_user! (part of the devise gem)
    1. devise :omniauthable, :omniauth_providers => [:google] configures sso-provider/app/models/user.rb
    2. authenticate_user! is not explicitly defined but instead monkey patched into the controller in devise/lib/devise/controllers/helper.rb
    3. authenticate_user! calls warden.authenticate! (warden/lib/warden/proxy.rb) with a scope of :user (warden is another Rack-based authentication gem)
    4. Warden proxy tries the TokenAuthenticatable and DatabaseAuthenticatable strategies, but these strategies fail and it raises a :warden exception. This causes it to call failure_app which is set up in devise/lib/devise.rb to be
    5. This maps to devise/lib/devise/failure_app.rb which redirects to the new_user_session_path /users/sign_in which routes to the SSO SessionsController#new which subclasses Devise::SessionsController
  6. In sso-provider, SessionsController#new redirects to /users/auth/google
  7. In sso-provider, OmniAuth intercepts /users/auth/google
    1. OmniAuth is configured with a path prefix of /users/auth by devise
    2. sso-provider/config/initializers/devise.rb configures a :open_id omniauth strategy named of 'google'
    3. This enters the request phase at omniauth-open-id/lib/omniauth/strategies/open_id.rb
    4. This creates a rack layer with (the rack-openid gem) executes it with call
    5. The Rack layer passes through the request to the underlying @app and checks for a 401 response code, if so it calls begin_authentication
    6. begin_authentication constructs an ::OpenID::Consumer object and calls redirects to open_id_redirect_url


  • What is workbench's "secret_token" for?

Updated by Peter Amstutz over 9 years ago · 13 revisions