Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade ScribeJava to latest version #5991

Closed
poikilotherm opened this issue Jul 4, 2019 · 6 comments · Fixed by #5997
Closed

Upgrade ScribeJava to latest version #5991

poikilotherm opened this issue Jul 4, 2019 · 6 comments · Fixed by #5997

Comments

@poikilotherm
Copy link
Contributor

This is an implementation task for the salvation of #5974


With the current OAuth2 providers, you can only connect to specific providers. For using an IDM/IAM, we need a more general approach, more like mentioned in #4383.

These days, OpenID Connect defines a common standard based on OAuth2, where at least some scopes and claims are standardized. ScribeJava offers some (very) limited support for using the standard, so let's try this...

poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jul 4, 2019
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jul 5, 2019
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jul 5, 2019
…mpatible with recent ScribeJava library. Refactored code structure a bit, too.
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Jul 5, 2019
…actor base class to avoid code duplication when generating the user record.
@poikilotherm
Copy link
Contributor Author

I just created PR #5997.
@pdurbin could you please add this to code review? Before I add more unit tests, I would like to know if this goes into the right direction.

Beware, this is not yet tested "in the wild" against Github/Google. That's the next step... 😉

@pdurbin
Copy link
Member

pdurbin commented Jul 8, 2019

With the current OAuth2 providers, you can only connect to specific providers.

Yes. This reminds me of this issue: "As a Dataverse Installation Administrator, I want to add an alternative OAuth provider as a plugin, so that I don't have to fork the core code" #4383

@poikilotherm will your current effort help with this? You might be interested in the slide below about federated login presented by @philippconzett during the 2019 community meeting: https://osf.io/cqsrj/
auth

A video of this talk is available: https://youtu.be/vAPpKuDQUDY?t=746

Before I add more unit tests

I don't see any tests yet in pull request #5997. 😄

@poikilotherm
Copy link
Contributor Author

Hey @pdurbin

Yes. This reminds me of this issue: "As a Dataverse Installation Administrator, I want to add an alternative OAuth provider as a plugin, so that I don't have to fork the core code" #4383

@poikilotherm will your current effort help with this? You might be interested in the slide below about federated login presented by @philippconzett during the 2019 community meeting: https://osf.io/cqsrj/

I referenced #4383 in my description already... 😉 To answer your question: it might help. People need to attach their IDM to the other services. This is definitly possible, like it has been done with Unity IDM to connect to a lot more providers than currently exist in Dataverse (see b2access as an example, offering Win Live and Facebook)

I don't see any tests yet in pull request #5997. smile

I wasn't clear enough... There are currently no unit tests at all for the business logic of the OAuth stuff. Before I add any unit tests I would like to know if you guys like what you see... (I prefer test driven design, but I really need to get things done now 😉 .)

poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Sep 23, 2019
The list of authorized scopes doesn't have to be in the same order as
we send it. So better check the single scope names on their own.

Relates to IQSS#5991.
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Sep 24, 2019
Since the introduction of OAuth2 the scope attribute
of all saved tokens has been "null", as there seemed to
be a bug with ScribeJava. Upgrading from v3.3.6 to v6.8.1
resulted in exceptions due to the scope being saved now,
but violating the 64 char limit.

As the persisted data has not been in use ever since
(the scope is always retrieved from the IdP implementation),
the attribute has been removed to save database space and
avoid the exception.

An appropriate SQL migration script for Flyway has been added.
Relates to IQSS#5991.
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Sep 24, 2019
The GitHub auth provider had been implemented with no scope.
Thus only public information is used, the user needs to provide
his or her mail address on first login page.

Relates to IQSS#5991.
poikilotherm added a commit to poikilotherm/dataverse that referenced this issue Sep 25, 2019
@landreev
Copy link
Contributor

landreev commented Oct 18, 2019

I'm seeing that the PR #5997 has just been merged. Why is the flyway script named V4.18.0.1__5991-update-scribejava.sql? - The current version is V4.17.
(not sure if it's worth the trouble renaming the script at this point; doing so would cause the usual problems on all the instances where develop has already been deployed... and since the script only has one "drop column" line, it may be safe to leave it as is... I can't think of a condition where it would case a problem - anyone?)

But let's be careful about keeping established numbering scheme going forward; which is to build on top of the current version in pom.xml.

@pdurbin
Copy link
Member

pdurbin commented Oct 18, 2019

@landreev d'oh! I do think we should rename the SQL script and I volunteer to do it. Sorry I missed this in code review. 😞 I just opened #6293 to fix it.

@poikilotherm poikilotherm changed the title Implementing a minimal OpenID Connect compliant OAuth2 Auth provider Upgrade ScribeJava to latest version Oct 31, 2019
@poikilotherm
Copy link
Contributor Author

Alright, lets close this as done. I'm opening new issues for the further work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants