Project

General

Profile

Workbench authentication process » History » Version 13

Peter Amstutz, 11/17/2014 07:24 PM

1 1 Peter Amstutz
h1. Workbench authentication process
2
3 12 Peter Amstutz
# In workbench, when the user goes to a page, it checks for a session or @?api_token=xxx@ in the URL for the API token.  If no API token is found, the user is directed to the workbench "welcome" page.
4
# In workbench, the "welcome" page has a "log in" button that directs the user to the API server login URL, with a @?return_to=xxx@ link embedded in the URL.
5
# In API server, the 'login' endpoint goes to @UserSessionsController#login@ in the API server.  This redirects to @/auth/joshid?return_to=xxx@
6
# In API server, @/auth/joshid@ is intercepted by the "OmniAuth":https://github.com/intridea/omniauth Rack middleware and invokes the @josh_id@ OmniAuth strategy.
7 11 Peter Amstutz
## The @josh_id@ OmniAuth strategy is implemented in @arvados/services/api/lib/josh_id.rb@ and is a subclass of @OmniAuth::Strategies::OAuth2@
8 12 Peter Amstutz
## OmniAuth starts the "request_phase" of @OmniAuth::Strategies::OAuth2@.  This redirects to @#{options[:custom_provider_url]}/auth/josh_id/authorize@ using CUSTOM_PROVIDER_URL defined in @arvados/services/api/config/initializers/omniauth.rb@
9
# In sso-provider, @/auth/josh_id@ is routed to @AuthController#authorize@, and is intercepted by @before_filter :authenticate_user!@ (part of the "devise gem":https://github.com/plataformatec/devise)
10 10 Peter Amstutz
## @devise :omniauthable, :omniauth_providers => [:google]@ configures @sso-provider/app/models/user.rb@
11
## @authenticate_user!@ is not explicitly defined but instead monkey patched into the controller in @devise/lib/devise/controllers/helper.rb@
12
## @authenticate_user!@ calls @warden.authenticate!@ (@warden/lib/warden/proxy.rb@) with a scope of @:user@ ("warden":https://github.com/hassox/warden is another Rack-based authentication gem)
13
## Warden proxy tries the TokenAuthenticatable and DatabaseAuthenticatable strategies, but these strategies fail and it raises a :warden exception.  This causes it to call @failure_app@ which is set up in @devise/lib/devise.rb@ to be @Devise::Delegator.new@ 
14
## This maps to @devise/lib/devise/failure_app.rb@ which redirects to the new_user_session_path @/users/sign_in@ which routes to the SSO @SessionsController#new@ which subclasses @Devise::SessionsController@
15 1 Peter Amstutz
# In sso-provider, @SessionsController#new@ redirects to @/users/auth/google@
16 13 Peter Amstutz
# In sso-provider, OmniAuth intercepts @/users/auth/google@ 
17
## OmniAuth is configured with a path prefix of @/users/auth@ by devise 
18
## @sso-provider/config/initializers/devise.rb@ configures a @:open_id@ omniauth strategy named of 'google'
19
## This enters the request phase at @omniauth-open-id/lib/omniauth/strategies/open_id.rb@
20
## This creates a rack layer with @Rack::OpenID.new@ (the @rack-openid@ gem) executes it with @call@
21
## The Rack layer passes through the request to the underlying @@app@ and checks for a 401 response code, if so it calls @begin_authentication@
22
## @begin_authentication@ constructs an @::OpenID::Consumer@ object and calls redirects to @open_id_redirect_url@
23 1 Peter Amstutz
24
h2. Questions
25
26
* What is workbench's "secret_token" for?