You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Marcus Christie (Jira)" <ji...@apache.org> on 2020/09/02 14:40:00 UTC
[jira] [Updated] (AIRAVATA-3319) Handle missing name and email
attributes from CILogon
[ https://issues.apache.org/jira/browse/AIRAVATA-3319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcus Christie updated AIRAVATA-3319:
--------------------------------------
Description:
{quote}
tl;dr: CILogon will no longer require Identity Providers (IdPs) to assert email addresses and names for new users of OAuth2/OIDC (OpenID Connect) clients.
{quote}
[https://groups.google.com/a/cilogon.org/forum/#!topic/outages/kksaYVrW1Io]
This issue to design a user authentication flow that handles missing attributes and prompts the user to supply them as necessary.
h2. Questions
- [x] Will we always get a {{preferred_username}} attribute? Question for CILogon team
- CILogon will always return a {{sub}} claim and this is the main identifier. CILogon doesn't appear to return a {{preferred_username}} claim. Keycloak uses {{email}} for {{preferred_username}}, if available, and {{sub}} if not.
- [ ] what will Keycloak do if any of these attributes are missing?
- [ ] can we setup a test setup where CILogon doesn't return email/firstName/lastName?
h2. TODO
- [ ] proxy Django User model and store the Keycloak/CILogon 'sub' attribute as the primary identifier for users
h2. Design
h3. User doesn't have first name and/or last name attributes
- callback handles user authentication
- fetch userinfo and check for missing attributes
- note that first and/or last name are missing
- disable user in Keycloak
- (?) Question: log the user in with a flag that profile is not complete? Or don't log the user in and put the user information somewhere in the session?
-- I think, log the user in but set a session flag that the profile is not complete. in workspace/signals.py and in the UI use this to prevent API calls and to prevent the user from seeing UIs that they can't yet interact with.
- redirect user to web form with profile information filled in
-- email
-- email again
-- first name (if available)
-- last name (if available)
- user submits form
- validate form
- if form is valid and all required information is supplied, then ...
-- update the user record in Keycloak
-- enable the user
h3. User doesn't have email attribute
Similar flow to above except
- send the user an email verification link if the profile is complete and the email address has been supplied
-- more generally, if the user updates their profile information and the email changes, need to re-verify the email address
- when the email verification link is clicked, re-check the the profile is complete
- if profile is complete, update the user record and enable the user
- otherwise kick the user to the profile form and require the missing profile attributes
was:
{quote}
tl;dr: CILogon will no longer require Identity Providers (IdPs) to assert email addresses and names for new users of OAuth2/OIDC (OpenID Connect) clients.
{quote}
[https://groups.google.com/a/cilogon.org/forum/#!topic/outages/kksaYVrW1Io]
This issue to design a user authentication flow that handles missing attributes and prompts the user to supply them as necessary.
h2. Questions
- [ ] Will we always get a {{preferred_username}} attribute? Question for CILogon team
- [ ] what will Keycloak do if any of these attributes are missing?
- [ ] can we setup a test setup where CILogon doesn't return email/firstName/lastName?
h2. TODO
- [ ] proxy Django User model and store the Keycloak/CILogon 'sub' attribute as the primary identifier for users
h2. Design
h3. User doesn't have first name and/or last name attributes
- callback handles user authentication
- fetch userinfo and check for missing attributes
- note that first and/or last name are missing
- disable user in Keycloak
- (?) Question: log the user in with a flag that profile is not complete? Or don't log the user in and put the user information somewhere in the session?
-- I think, log the user in but set a session flag that the profile is not complete. in workspace/signals.py and in the UI use this to prevent API calls and to prevent the user from seeing UIs that they can't yet interact with.
- redirect user to web form with profile information filled in
-- email
-- email again
-- first name (if available)
-- last name (if available)
- user submits form
- validate form
- if form is valid and all required information is supplied, then ...
-- update the user record in Keycloak
-- enable the user
h3. User doesn't have email attribute
Similar flow to above except
- send the user an email verification link if the profile is complete and the email address has been supplied
-- more generally, if the user updates their profile information and the email changes, need to re-verify the email address
- when the email verification link is clicked, re-check the the profile is complete
- if profile is complete, update the user record and enable the user
- otherwise kick the user to the profile form and require the missing profile attributes
> Handle missing name and email attributes from CILogon
> -----------------------------------------------------
>
> Key: AIRAVATA-3319
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3319
> Project: Airavata
> Issue Type: New Feature
> Components: Django Portal
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
>
> {quote}
> tl;dr: CILogon will no longer require Identity Providers (IdPs) to assert email addresses and names for new users of OAuth2/OIDC (OpenID Connect) clients.
> {quote}
> [https://groups.google.com/a/cilogon.org/forum/#!topic/outages/kksaYVrW1Io]
> This issue to design a user authentication flow that handles missing attributes and prompts the user to supply them as necessary.
> h2. Questions
> - [x] Will we always get a {{preferred_username}} attribute? Question for CILogon team
> - CILogon will always return a {{sub}} claim and this is the main identifier. CILogon doesn't appear to return a {{preferred_username}} claim. Keycloak uses {{email}} for {{preferred_username}}, if available, and {{sub}} if not.
> - [ ] what will Keycloak do if any of these attributes are missing?
> - [ ] can we setup a test setup where CILogon doesn't return email/firstName/lastName?
> h2. TODO
> - [ ] proxy Django User model and store the Keycloak/CILogon 'sub' attribute as the primary identifier for users
> h2. Design
> h3. User doesn't have first name and/or last name attributes
> - callback handles user authentication
> - fetch userinfo and check for missing attributes
> - note that first and/or last name are missing
> - disable user in Keycloak
> - (?) Question: log the user in with a flag that profile is not complete? Or don't log the user in and put the user information somewhere in the session?
> -- I think, log the user in but set a session flag that the profile is not complete. in workspace/signals.py and in the UI use this to prevent API calls and to prevent the user from seeing UIs that they can't yet interact with.
> - redirect user to web form with profile information filled in
> -- email
> -- email again
> -- first name (if available)
> -- last name (if available)
> - user submits form
> - validate form
> - if form is valid and all required information is supplied, then ...
> -- update the user record in Keycloak
> -- enable the user
> h3. User doesn't have email attribute
> Similar flow to above except
> - send the user an email verification link if the profile is complete and the email address has been supplied
> -- more generally, if the user updates their profile information and the email changes, need to re-verify the email address
> - when the email verification link is clicked, re-check the the profile is complete
> - if profile is complete, update the user record and enable the user
> - otherwise kick the user to the profile form and require the missing profile attributes
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)