Project

General

Profile

Workbench authentication process » History » Revision 9

Revision 8 (Peter Amstutz, 11/15/2014 02:39 PM) → Revision 9/26 (Peter Amstutz, 11/15/2014 02:39 PM)

h1. Workbench authentication process 

 # When the user goes to workbench, it checks for a session or @?api_token=xxx@ in the URL for the API token.    If no API token is found, the user is directed to the workbench "welcome" page. 
 # The "welcome" page has a "log in" button that directs the user to the API server login URL, with a @?return_to=xxx@ link embedded in the URL. 
 # The 'login' endpoint goes to @UserSessionsController#login@ in the API server.    This redirects to @/auth/joshid?return_to=xxx@ 
 # @/auth/joshid@ is intercepted by the "OmniAuth":https://github.com/intridea/omniauth Rack middleware and invokes the @josh_id@ OmniAuth strategy. 
 ** The @josh_id@ OmniAuth strategy is implemented in @arvados/services/api/lib/josh_id.rb@ and is a subclass of @OmniAuth::Strategies::OAuth2@ 
 # OmniAuth starts the "request_phase" of @OmniAuth::Strategies::OAuth2@.    This redirects to @#{options[:custom_provider_url]}/auth/josh_id/authorize@ using CUSTOM_PROVIDER_URL defined in @arvados/services/api/config/initializers/omniauth.rb@ 
 # In the sso-provider, @/auth/josh_id@ is routed to @AuthController#authorize@, and is intercepted by @before_filter :authenticate_user!@ (part of the "devise gem":https://github.com/plataformatec/devise) 
 ** devise is configured at @sso-provider/config/initializers/devise.rb@ 
 ** @authenticate_user!@ is not explicitly defined but instead monkey patched into the controller in @devise/lib/devise/controllers/helper.rb@ 
 ** @authenticate_user!@ calls @warden.authenticate!@ with a scope of @:user@ ("warden":https://github.com/hassox/warden where "warden":https://github.com/hassox/warden is yet another Rack-based Rack authentication gem) gem 
 ** @devise :omniauthable, :omniauth_providers => [:google]@ configures @sso-provider/app/models/user.rb@ 
 # @AuthController#authorize@ creates an AccessGrant 

 h2. Questions 

 * What is workbench's "secret_token" for?