The current authorization and login flows are rather messy, contain duplicated code and don't always work as expected. Also, they still contain the old SSID SFO flow, which we don't use anymore.
So, let's refactor this
Overview of how authorization and login flows should work:
This refactoring involves the following endpoints:
/api/users/proxy_authz (user_saml.py): top row of the figure
/interrupt (new endpoint, name tbd): second row of the figure
/api/users/resume_session (user.py): third row of the figure
/api/mfa/ssid_start/<uuid> and other ssid funtions (mfa.py): to be removed
/api/verify2fa_proxy_authz (mfa.py): to be removed
The main idea of the new flow is that we keep the proxy_authz call as lean as possible. We restrict this to basic checks to determine if:
the user can proceed to the service (result=authorized)
the user is denied access (result=unauthorized, redirect_url points to error page on SBS)
the user needs to do manual stuff (result=interrupt, redirect_url point to new interrupt page on SBS)
If any f these checks fail, we simply redirect the user to SBS, where everything will be handled in the regular SBS login process.
This means that lots of the stuff that we currently do in the proxy_authz calls, we move to a single place in the SBS login process. Also, all of the complicated redirect stuff (and handling the continue_url parameter) is done at 1 place (the interrupt page).
Flows
From a user perspective, there are 4 different flows to support:
SBS login
Successful Service login
Interrupted Service login
Failed Service login
I will describe those below:
1. SBS login
user open SBS url
user logs in in using EduTEAMS
EduTEAMS calls proxy_authz with service_id=<SBS>
proxy_authz returns status=authorized
user is redirected to /api/users/resume_session
user is provisioned, needs to do MFA, needs to agree to AUPs, etc
user is redirected to URL they were trying to open in the first place
2. Successful Service login
user open service url
user logs in in using EduTEAMS
EduTEAMS calls proxy_authz with service_id=<service>
all checks are successful
proxy_authz returns status=authorized
user is redirected to service
3. Interrupted Service login
user open service url
user logs in in using EduTEAMS
EduTEAMS calls proxy_authz with service_id=<service>
any of the checks needs user interaction
proxy_authz returns status=interrupt with redirect_url=<sbs>/interrupr
EduTEAMS redirect user to interrupt page on SBS with continue_url=<eduteams_continue>
User needs to log in to SBS
EduTEAMS calls proxy_authz with `service_id=
proxy_authz returns status=authorized
user is redirected to /api/users/resume_session
user is provisioned, needs to do MFA, needs to agree to AUPs, etc
SBS returns to interrupt page
If necessary, SBS asks user to agree to Service AUP
SBS redirects user back to <eduteams_continue>
4. Failed Service login
user open service url
user logs in in using EduTEAMS
EduTEAMS calls proxy_authz with service_id=<service>
an access check fails
proxy_authz returns status=unauthorized with redirect_uri=<sbs_error_page>
The current authorization and login flows are rather messy, contain duplicated code and don't always work as expected. Also, they still contain the old SSID SFO flow, which we don't use anymore.
So, let's refactor this
Overview of how authorization and login flows should work:
This refactoring involves the following endpoints:
/api/users/proxy_authz
(user_saml.py
): top row of the figure/interrupt
(new endpoint, name tbd): second row of the figure/api/users/resume_session
(user.py
): third row of the figure/api/mfa/ssid_start/<uuid>
and other ssid funtions (mfa.py
): to be removed/api/verify2fa_proxy_authz
(mfa.py
): to be removedThe main idea of the new flow is that we keep the
proxy_authz
call as lean as possible. We restrict this to basic checks to determine if:result=authorized
)result=unauthorized
,redirect_url
points to error page on SBS)result=interrupt
,redirect_url
point to new interrupt page on SBS) If any f these checks fail, we simply redirect the user to SBS, where everything will be handled in the regular SBS login process.This means that lots of the stuff that we currently do in the
proxy_authz
calls, we move to a single place in the SBS login process. Also, all of the complicated redirect stuff (and handling thecontinue_url
parameter) is done at 1 place (the interrupt page).Flows
From a user perspective, there are 4 different flows to support:
I will describe those below:
1. SBS login
proxy_authz
withservice_id=<SBS>
proxy_authz
returnsstatus=authorized
/api/users/resume_session
2. Successful Service login
proxy_authz
withservice_id=<service>
proxy_authz
returnsstatus=authorized
3. Interrupted Service login
proxy_authz
withservice_id=<service>
proxy_authz
returnsstatus=interrupt
withredirect_url=<sbs>/interrupr
continue_url=<eduteams_continue>
proxy_authz
with `service_id=proxy_authz
returnsstatus=authorized
/api/users/resume_session
<eduteams_continue>
4. Failed Service login
proxy_authz
withservice_id=<service>
proxy_authz
returnsstatus=unauthorized
withredirect_uri=<sbs_error_page>
See also
773