Project

General

Profile

Actions

Workbench authentication process » History » Revision 8

« Previous | Revision 8/26 (diff) | Next »
Peter Amstutz, 11/15/2014 02:39 PM


Workbench authentication process

  1. When the user goes to workbench, it checks for a session or ?api_token=xxx in the URL for the API token. If no API token is found, the user is directed to the workbench "welcome" page.
  2. The "welcome" page has a "log in" button that directs the user to the API server login URL, with a ?return_to=xxx link embedded in the URL.
  3. The 'login' endpoint goes to UserSessionsController#login in the API server. This redirects to /auth/joshid?return_to=xxx
  4. /auth/joshid is intercepted by the OmniAuth Rack middleware and invokes the josh_id OmniAuth strategy.
    • The josh_id OmniAuth strategy is implemented in arvados/services/api/lib/josh_id.rb and is a subclass of OmniAuth::Strategies::OAuth2
  5. OmniAuth starts the "request_phase" of OmniAuth::Strategies::OAuth2. This redirects to #{options[:custom_provider_url]}/auth/josh_id/authorize using CUSTOM_PROVIDER_URL defined in arvados/services/api/config/initializers/omniauth.rb
  6. In the sso-provider, /auth/josh_id is routed to AuthController#authorize, and is intercepted by before_filter :authenticate_user! (part of the devise gem)
    • devise is configured at sso-provider/config/initializers/devise.rb
    • authenticate_user! is not explicitly defined but instead monkey patched into the controller in devise/lib/devise/controllers/helper.rb
    • authenticate_user! calls warden.authenticate! with a scope of :user where warden is yet another Rack authentication gem
    • devise :omniauthable, :omniauth_providers => [:google] configures sso-provider/app/models/user.rb
  7. AuthController#authorize creates an AccessGrant

Questions

  • What is workbench's "secret_token" for?

Updated by Peter Amstutz about 10 years ago · 26 revisions