You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Marcus Christie (Jira)" <ji...@apache.org> on 2020/09/01 19:25:00 UTC
[jira] [Commented] (AIRAVATA-3319) Handle missing name and email
attributes from CILogon
[ https://issues.apache.org/jira/browse/AIRAVATA-3319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17188769#comment-17188769 ]
Marcus Christie commented on AIRAVATA-3319:
-------------------------------------------
I asked another question about testing. Looks like testing with the GitHub IdP will allow testing many of the scenarios:
{quote}
For such testing, I use GitHub, which does not provide ePPN, ePTID, first name, or last name. It does release display name (= the "name" claim).
-Terry
On 2020-08-31 4:15 PM, Christie, Marcus Aaron wrote:
Thanks Terry. Another question, do you have any advice on testing with an IdP that doesn't provide one or more of these attributes (ePPN, ePTID, email, first name or last name)? For example, do you know of an IdP where I could create a test account that restricts these attributes?
Thanks,
Marcus
{quote}
> Handle missing name and email attributes from CILogon
> -----------------------------------------------------
>
> Key: AIRAVATA-3319
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3319
> Project: Airavata
> Issue Type: New Feature
> Components: Django Portal
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
>
> {quote}
> tl;dr: CILogon will no longer require Identity Providers (IdPs) to assert email addresses and names for new users of OAuth2/OIDC (OpenID Connect) clients.
> {quote}
> [https://groups.google.com/a/cilogon.org/forum/#!topic/outages/kksaYVrW1Io]
> This issue to design a user authentication flow that handles missing attributes and prompts the user to supply them as necessary.
> h2. Questions
> - [ ] Will we always get a {{preferred_username}} attribute? Question for CILogon team
> - [ ] what will Keycloak do if any of these attributes are missing?
> - [ ] can we setup a test setup where CILogon doesn't return email/firstName/lastName?
> h2. TODO
> - [ ] proxy Django User model and store the Keycloak/CILogon 'sub' attribute as the primary identifier for users
> h2. Design
> h3. User doesn't have first name and/or last name attributes
> - callback handles user authentication
> - fetch userinfo and check for missing attributes
> - note that first and/or last name are missing
> - disable user in Keycloak
> - (?) Question: log the user in with a flag that profile is not complete? Or don't log the user in and put the user information somewhere in the session?
> -- I think, log the user in but set a session flag that the profile is not complete. in workspace/signals.py and in the UI use this to prevent API calls and to prevent the user from seeing UIs that they can't yet interact with.
> - redirect user to web form with profile information filled in
> -- email
> -- email again
> -- first name (if available)
> -- last name (if available)
> - user submits form
> - validate form
> - if form is valid and all required information is supplied, then ...
> -- update the user record in Keycloak
> -- enable the user
> h3. User doesn't have email attribute
> Similar flow to above except
> - send the user an email verification link if the profile is complete and the email address has been supplied
> -- more generally, if the user updates their profile information and the email changes, need to re-verify the email address
> - when the email verification link is clicked, re-check the the profile is complete
> - if profile is complete, update the user record and enable the user
> - otherwise kick the user to the profile form and require the missing profile attributes
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)