Refactor login process

[baszoetekouw]

The current authorization and login flows are rather messy, contain duplicated code and don't always work as expected. Also, they still contain the old SSID SFO flow, which we don't use anymore.

So, let's refactor this

Overview of how authorization and login flows should work:

This refactoring involves the following endpoints:

• /api/users/proxy_authz (user_saml.py): top row of the figure
• /interrupt (new endpoint, name tbd): second row of the figure
• /api/users/resume_session (user.py): third row of the figure
• /api/mfa/ssid_start/<uuid> and other ssid funtions (mfa.py): to be removed
• /api/verify2fa_proxy_authz (mfa.py): to be removed

The main idea of the new flow is that we keep the proxy_authz call as lean as possible. We restrict this to basic checks to determine if:

• the user can proceed to the service (result=authorized)
• the user is denied access (result=unauthorized, redirect_url points to error page on SBS)
• the user needs to do manual stuff (result=interrupt, redirect_url point to new interrupt page on SBS) If any f these checks fail, we simply redirect the user to SBS, where everything will be handled in the regular SBS login process.

This means that lots of the stuff that we currently do in the proxy_authz calls, we move to a single place in the SBS login process. Also, all of the complicated redirect stuff (and handling the continue_url parameter) is done at 1 place (the interrupt page).

Flows

From a user perspective, there are 4 different flows to support:

1. SBS login
2. Successful Service login
3. Interrupted Service login
4. Failed Service login

I will describe those below:

1. SBS login

• user open SBS url
• user logs in in using EduTEAMS
• EduTEAMS calls proxy_authz with service_id=<SBS>
• proxy_authz returns status=authorized
• user is redirected to /api/users/resume_session
• user is provisioned, needs to do MFA, needs to agree to AUPs, etc
• user is redirected to URL they were trying to open in the first place

2. Successful Service login

• user open service url
• user logs in in using EduTEAMS
• EduTEAMS calls proxy_authz with service_id=<service>
• all checks are successful
• proxy_authz returns status=authorized
• user is redirected to service

3. Interrupted Service login

• user open service url
• user logs in in using EduTEAMS
• EduTEAMS calls proxy_authz with service_id=<service>
• any of the checks needs user interaction
• proxy_authz returns status=interrupt with redirect_url=<sbs>/interrupr
• EduTEAMS redirect user to interrupt page on SBS with continue_url=<eduteams_continue>
• User needs to log in to SBS
  • EduTEAMS calls proxy_authz with `service_id=
  • proxy_authz returns status=authorized
  • user is redirected to /api/users/resume_session
  • user is provisioned, needs to do MFA, needs to agree to AUPs, etc
• SBS returns to interrupt page
• If necessary, SBS asks user to agree to Service AUP
• SBS redirects user back to <eduteams_continue>

4. Failed Service login

• user open service url
• user logs in in using EduTEAMS
• EduTEAMS calls proxy_authz with service_id=<service>
• an access check fails
• proxy_authz returns status=unauthorized with redirect_uri=<sbs_error_page>
• EduTEAMS redirect user to error page on SBS

See also

• 773

[logan-life]

Bas to take another look and refine if needed while work continues.