Workbench authentication process » History » Version 14
Peter Amstutz, 11/17/2014 08:14 PM
1 | 1 | Peter Amstutz | h1. Workbench authentication process |
---|---|---|---|
2 | |||
3 | 12 | Peter Amstutz | # In workbench, when the user goes to a page, it checks for a session or @?api_token=xxx@ in the URL for the API token. If no API token is found, the user is directed to the workbench "welcome" page. |
4 | # In workbench, the "welcome" page has a "log in" button that directs the user to the API server login URL, with a @?return_to=xxx@ link embedded in the URL. |
||
5 | # In API server, the 'login' endpoint goes to @UserSessionsController#login@ in the API server. This redirects to @/auth/joshid?return_to=xxx@ |
||
6 | # In API server, @/auth/joshid@ is intercepted by the "OmniAuth":https://github.com/intridea/omniauth Rack middleware and invokes the @josh_id@ OmniAuth strategy. |
||
7 | 11 | Peter Amstutz | ## The @josh_id@ OmniAuth strategy is implemented in @arvados/services/api/lib/josh_id.rb@ and is a subclass of @OmniAuth::Strategies::OAuth2@ |
8 | 12 | Peter Amstutz | ## OmniAuth starts the "request_phase" of @OmniAuth::Strategies::OAuth2@. This redirects to @#{options[:custom_provider_url]}/auth/josh_id/authorize@ using CUSTOM_PROVIDER_URL defined in @arvados/services/api/config/initializers/omniauth.rb@ |
9 | 14 | Peter Amstutz | # In sso-provider, @/auth/josh_id/authorize@ is routed to @AuthController#authorize@, and is intercepted by @before_filter :authenticate_user!@ (part of the "devise gem":https://github.com/plataformatec/devise) |
10 | 10 | Peter Amstutz | ## @devise :omniauthable, :omniauth_providers => [:google]@ configures @sso-provider/app/models/user.rb@ |
11 | ## @authenticate_user!@ is not explicitly defined but instead monkey patched into the controller in @devise/lib/devise/controllers/helper.rb@ |
||
12 | ## @authenticate_user!@ calls @warden.authenticate!@ (@warden/lib/warden/proxy.rb@) with a scope of @:user@ ("warden":https://github.com/hassox/warden is another Rack-based authentication gem) |
||
13 | 1 | Peter Amstutz | ## Warden proxy tries the TokenAuthenticatable and DatabaseAuthenticatable strategies, but these strategies fail and it raises a :warden exception. This causes it to call @failure_app@ which is set up in @devise/lib/devise.rb@ to be @Devise::Delegator.new@ |
14 | 14 | Peter Amstutz | ## This calls @devise/lib/devise/failure_app.rb@ which saves the attempted path in the session ("user_return_to") using @store_location!@, then redirects to @new_user_session_path@ (@/users/sign_in@) |
15 | # In sso-provider @/users/sign_in@ routes to the SSO @SessionsController#new@ which subclasses @Devise::SessionsController@ |
||
16 | ## @SessionsController#new@ redirects to @/users/auth/google@ |
||
17 | 13 | Peter Amstutz | # In sso-provider, OmniAuth intercepts @/users/auth/google@ |
18 | ## OmniAuth is configured with a path prefix of @/users/auth@ by devise |
||
19 | 1 | Peter Amstutz | ## @sso-provider/config/initializers/devise.rb@ configures a @:open_id@ omniauth strategy named of 'google' |
20 | ## This enters the request phase at @omniauth-open-id/lib/omniauth/strategies/open_id.rb@ |
||
21 | ## This creates a rack layer with @Rack::OpenID.new@ (the @rack-openid@ gem) executes it with @call@ |
||
22 | ## The Rack layer passes through the request to the underlying @@app@ and checks for a 401 response code, if so it calls @begin_authentication@ |
||
23 | 14 | Peter Amstutz | ## @begin_authentication@ constructs an @::OpenID::Consumer@ object and calls redirects to @open_id_redirect_url@, which finally takes us to a Google login page (after some redirects within Google). |
24 | # Google redirects to the sso-server at @/users/auth/google/callback@ after a successful login (after more redirects within Google) |
||
25 | # In sso-provider, Omniauth intercepts this and calls @callback_phase@ in omniauth-openid |
||
26 | ## The callback phase calls @openid_response@ |
||
27 | ## @openid_response@ creates a rack layer with @Rack::OpenID.new@ (the @rack-openid@ gem) executes it with @call@. This provisions the Rack environment with info from the OpenID callback. |
||
28 | ## Request handling continues to sso-provider where it routes to @Users::OmniauthCallbacksController#google@ |
||
29 | ## This calls @find_for_open_id@ on the @User@ model which finds a user record with a matching identity url, or creates and saves a new user record with the identity url. |
||
30 | ## The @google@ callback also saves the first_name and last_name of the user. |
||
31 | ## This calls @sign_in_and_redirect@ defined in @devise/lib/devise/controllers/helpers.rb@ |
||
32 | ## This calls set_user in Warden, which uses @Warden::SessionSerializer@ to save the user associated with the session |
||
33 | ## This redirects to @stored_location_for@ which returns the value of @user_return_to@ in the session, which is @/auth/josh_id/authorize@ from step 5. |
||
34 | # |
||
35 | 1 | Peter Amstutz | |
36 | h2. Questions |
||
37 | |||
38 | * What is workbench's "secret_token" for? |