Refacto OIDC 3 #1405
Refacto OIDC 3 #1405
Conversation
|
Can you please include the Globus record in your
|
BrainPortal/config/oidc.yml.erb
Outdated
| # Scope used when called the OpenID provider when autheticate | ||
| scope: "openid email profile" | ||
| # OpenID provider id and secret need to be passed via environment variables | ||
| client_id: <%= ENV["keycloak_client_id"] %> |
There was a problem hiding this comment.
The examples of ruby code to embed environment variables in the OIDC YAML file should also zap the environment variables, so that they don't get propagated inside the app.
There was a problem hiding this comment.
e.g.
client_id: <%= ENV.delete 'keycloak_client_id' %>
There was a problem hiding this comment.
When I booted my server, I got this in the initial boot messages:
C> Loading OIDC configuration...
C> - ERROR: Cannot load OIDC configuration.
C> Missing keys client_secret, client_id in OIDC config: Keycloak
C> CBRAIN BrainPortal validation completed, 2024-07-16 11:34:22 -0400
Yet the application continued to boot. That's wrong, if the admin does not configure this important config file correctly, the server should not continue!
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| # | ||
|
|
||
| class OidcConfig |
| begin | ||
| OidcConfig.load_from_file | ||
| rescue => ex | ||
| puts "C> \t- ERROR: Cannot load OIDC configuration." |
There was a problem hiding this comment.
Put a better message here, say something like check the content of "oidc.yml.rb"
There was a problem hiding this comment.
Also, make it stop the server boot process.
There was a problem hiding this comment.
Also, when enabled is false, it shouldn't complain about anything.
BrainPortal/config/oidc.yml.erb
Outdated
| # A OpenID provider can be enabled | ||
| enabled: true | ||
| # Configuration of the OpenID provider | ||
| authorize_uri: "http://localhost:8080/realms/.../protocol/openid-connect/auth" |
There was a problem hiding this comment.
What are the ... in the path? Ar they things I'm supposed to replace/substitute? What is supposed to go there?
|
|
||
| def generate_oidc_login_uri(oidc_providers, redirect_url) #:nodoc: | ||
| @oidc_uris = {} | ||
| oidc_providers.each { |oidc| @oidc_uris[oidc.name] = oidc_login_uri(oidc, redirect_url)} |
There was a problem hiding this comment.
When I went to my account page, this line (245) crashed because oidc_providers was nil
There was a problem hiding this comment.
The stack trace was:
lib/globus_helpers.rb:245:in `generate_oidc_login_uri'
app/controllers/users_controller.rb:98:in `show'
app/controllers/application_controller.rb:115:in `activate_user_time_zone'
There was a problem hiding this comment.
It is because in the users controller code, method show, you misspelled one of the instance variables:
# Array of enabled OIDC providers configurations
@oidc_configss = OidcConfig.enabled
# Hash of OIDC uris with the OIDC name as key
@oidc_uris = generate_oidc_login_uri(@oidc_configs, globus_url)(see the @oidc_configss instead of @oidc_configs... )
|
My first step in reviewing this PR is to make sure that all features related to Globus have been preserved. Right now, on my dev system, I have configured a Globus identity provider in the oidc.yml.erb file, and my server boots, but I can't go any further. The 'my account' page doesn't provide any way to link my account it globus. Original CBRAIN code screenshot:
This PR's code screenshot:
|
BrainPortal/lib/globus_helpers.rb
Outdated
| provider_name = identity['identity_provider_display_name'] || cb_error("Globus: No identity provider name") | ||
| pref_username = identity['preferred_username'] || | ||
| identity['username'] || cb_error("Globus: No preferred username") | ||
| provider_id = identity[oidc.identity_provider_key] || cb_error("#{oidc.name}: No identity provider") |
There was a problem hiding this comment.
Use oidc.identity_info() instead. That is what this method is for. You should try to hide any identity struct accesses by using a method, to make the code cleaner and avoid bugs (like the next comment I will leave about method find_user_with_globus_identity)
BrainPortal/lib/globus_helpers.rb
Outdated
| # Returns the user object if found; returns a string error message otherwise. | ||
| def find_user_with_globus_identity(globus_identity) | ||
| def find_user_with_oidc_identity(oidc, identity) | ||
| provider_name = identity[oidc.identity_provider_display_name] |
There was a problem hiding this comment.
Again, use oidc.identity_info() ; the code here crashes because you did not update the method names to say 'NNN_key'. This would not have happend when using identity_info()
| <strong>Provider name:</strong> <%= prov_name %><br> | ||
| <strong>Provider user:</strong> <%= prov_user %><br> | ||
| <% if @user.id == current_user.id %> | ||
| <%= link_to("Unlink this #{oidc.name} identity", unlink_oidc_path(oidc.name, :from => "cb"), |
There was a problem hiding this comment.
Why is there :from => 'cb', it's not used at all
|
Replaced by #1412 |
@prioux and @MontrealSergiy I think it is now ready for review.