Workbench authentication process » History » Revision 2
Revision 1 (Peter Amstutz, 11/14/2014 09:29 PM) → Revision 2/26 (Peter Amstutz, 11/14/2014 10:12 PM)
h1. Workbench authentication process # When the user goes to workbench, it checks for a session cookie or @?api_token=xxx@ on the URL to get the API token. If no API token is found, the user is directed to the workbench "welcome" page. # The "welcome" page has a "log in" button that directs the user to the API server login URL, with a @?return_to=xxx@ link embedded in the URL. # The 'login' endpoint goes to @UserSessionsController#login@ in the API server. This redirects to @/auth/joshid?return_to=xxx@ # @/auth/joshid@ is intercepted by the OmniAuth Rack middleware and invokes the @josh_id@ @joshid@ OmniAuth strategy. ** # The @josh_id@ OmniAuth strategy is implemented in @arvados/services/api/lib/josh_id.rb@ and is a subclass of @OmniAuth::Strategies::OAuth2@ # OmniAuth starts the "request_phase" of @OmniAuth::Strategies::OAuth2@. This redirects to @#{options[:custom_provider_url]}/auth/josh_id/authorize@ using CUSTOM_PROVIDER_URL defined in @@arvados/services/api/config/initializers/omniauth.rb@ h2. Questions * What is workbench's "secret_token" for?