Internal User Authentication

[torrin47]

Internal EPA users will have the ability to login to the site using the same EPA GeoPlatform SAML authentication the EDG is migrating to.

Basic information is here - probably easiest to use libraries that are built into Esri's JavaScript API, though in theory the login is standards-based, and any OAuth login could work. https://developers.arcgis.com/javascript/latest/guide/secure-resources/

The essential info needed from authentication, in addition to simply having a valid GeoPlatform account, is group membership. Any GeoPlatform user should be permitted to use the internal version of the tool to author and save records (and submit to EDG team in a similar manner to extramurals?), but only members of the EDG Publishers or Administrators group would be permitted to write records to the EDG, and they would be limited to certain groups. These groups are stored in the EDG's config file listed below (I guess we'd need to keep this manually synchronized with the non-geo editor). These groupIDs aren't secret, so they can be included in the client-side JS code.

     <arcgisPortalAdapter
        appId="s0brwjWwE7aFPPbF"
        authorizeUrl="https://epa.maps.arcgis.com/sharing/oauth2/authorize"
        expirationMinutes="120"
        gptAdministratorsGroupId="8f68f458ac1649279ab4e4508e28e65e"
        gptPublishersGroupId="5c676886b3454125b0f61311af8d2d52"
      allUsersCanPublish="false">
       <metadataManagementGroup
                  name="EPA Region 1"
                  groupID="63641797ea964222bdfb662b21a5fa1c"/>
        <metadataManagementGroup
                  name="EPA Region 2"
                  groupID="9670ee274c7745d9b2e71222a3339b61"/>          
       <metadataManagementGroup
                  name="EPA Region 3"
                  groupID="36dde1194b4a4736814a2c024afcf70e"/>
        <metadataManagementGroup
                  name="EPA Region 4"
                  groupID="07b70f9349e8496dadb33ae62702c531"/>  
       <metadataManagementGroup
                  name="EPA Region 5"
                  groupID="ed61918064564766a5015e564f2ed68c"/>
        <metadataManagementGroup
                  name="EPA Region 6"
                  groupID="270d5591383040478ad2b7d71e032ec0"/>  
       <metadataManagementGroup
                  name="EPA Region 7"
                  groupID="57f60cb6671a4161bddf195e0dc97a3b"/>
        <metadataManagementGroup
                  name="EPA Region 8"
                  groupID="27496423f7af4477acbc968a9b8a5a29"/>          
       <metadataManagementGroup
                  name="EPA Region 9"
                  groupID="f1e939185899418b95a1430356962959"/>
        <metadataManagementGroup
                  name="EPA Region 10"
                  groupID="23f3a56b40124b70b1e952f800e43bf4"/>  
       <metadataManagementGroup
                  name="OA"
                  groupID="6c73ad876a534034be72bbeb26244233"/>
        <metadataManagementGroup
                  name="OAR"
                  groupID="b2d3fadb885044e889160915f8c728f8"/>
        <metadataManagementGroup
                  name="OAR-OAP"
                  groupID="d2dcbabc811048728e394700940675ef"/>
        <metadataManagementGroup
                  name="OAR-OAQPS"
                  groupID="94d1d11283c44ca596e3320b2799ffa4"/>
        <metadataManagementGroup
                  name="OAR-ORIA"
                  groupID="98048680998344c98dc87e3ada5cfd76"/>
        <metadataManagementGroup
                  name="OAR-OTAQ"
                  groupID="a4215e880f2f4e7f8ce754c2d5375b6c"/>
       <metadataManagementGroup
                  name="OARM"
                  groupID="254121a228cb4ad6be11285fe7a65aa8"/>
        <metadataManagementGroup
                  name="OCFO"
                  groupID="084513005d714e0b9ea4c42a4b76d365"/>          
       <metadataManagementGroup
                  name="OCSPP"
                  groupID="e6fee2e545f845668c0e4e7c2a292e01"/>
        <metadataManagementGroup
                  name="OCSPP-OPP"
                  groupID="ba08a68e838b42b0b52c7ccff78db16b"/>
        <metadataManagementGroup
                  name="OCSPP-OPPT"
                  groupID="91af3c6229cd4dae90072d2dd868273f"/>
        <metadataManagementGroup
                  name="OECA"
                  groupID="56a1a93d7f734b47aef6279ff276e838"/>  
       <metadataManagementGroup
                  name="OEI"
                  groupID="159786233029482ea2ee041ddd9dffad"/>
        <metadataManagementGroup
                  name="OEI-OIAA"
                  groupID="b91c484b3b654c9cb15a9b8f3635a2bf"/>
        <metadataManagementGroup
                  name="OEI-OIC"
                  groupID="8573c5d57ffc4567a6e5c841a9956e02"/>
        <metadataManagementGroup
                  name="OGC"
                  groupID="d15357b248114be792306891b6d3a872"/>  
       <metadataManagementGroup
                  name="OIG"
                  groupID="529dd476969c4f91a64e5000e33d651a"/>
        <metadataManagementGroup
                  name="OITA"
                  groupID="19ddf86df7f044379795a56b7c6cc840"/>          
       <metadataManagementGroup
                  name="ORD"
                  groupID="8744f1d371604943b74ea88bcc3d9602"/>
        <metadataManagementGroup
                  name="ORD-NCEA"
                  groupID="dcc8b4fd4f9d4c079d5950328c56adea"/>
        <metadataManagementGroup
                  name="ORD-NERL-ESD"
                  groupID="098cf94dbec941879eea3dc37ef2499d"/>
        <metadataManagementGroup
                  name="ORD-NERL-ESD-REVA"
                  groupID="e9e1d3d95d6d40efbf836ab6514bd7b8"/>
        <metadataManagementGroup
                  name="ORD-NHEERL-AED"
                  groupID="8553c2f022f14f36b59cf137c090807f"/>
        <metadataManagementGroup
                  name="ORD-NHEERL-WED"
                  groupID="23a47cdc96a84e13a2fbaf8577b52ac5"/>
        <metadataManagementGroup
                  name="ORD-NRMRL"
                  groupID="e9e1d3d95d6d40efbf836ab6514bd7b8"/>
        <metadataManagementGroup
                  name="ORD-OSA"
                  groupID="e4034ab61fd24edfb149a6b5a9881017"/>
        <metadataManagementGroup
                  name="OLEM"
                  groupID="0119e92ad1a54e76a0451499676a7c73"/>
        <metadataManagementGroup
                  name="OLEM-CPA"
                  groupID="142c62cef96b42e1a99839a8a94488e9"/>
        <metadataManagementGroup
                  name="OLEM-FFRRO"
                  groupID="eaff66651aa94705a2c12fcafdff8a2f"/>
        <metadataManagementGroup
                  name="OLEM-OBLR"
                  groupID="240ce61d406648038b0094af68c3ca88"/>
        <metadataManagementGroup
                  name="OLEM-OEM"
                  groupID="d674c534f7ff438db255aea56d4e6156"/>
        <metadataManagementGroup
                  name="OLEM-OPM"
                  groupID="bff34eb045704b74afa4aa65bfd13e90"/>
        <metadataManagementGroup
                  name="OLEM-ORCR"
                  groupID="7e1f969dad514e69b980a005142d2b9c"/>
        <metadataManagementGroup
                  name="OLEM-OSRTI"
                  groupID="8b1cbb2c8dd7406a97430ad0c69f0873"/>
        <metadataManagementGroup
                  name="OLEM-OUST"
                  groupID="4e9f14e16e334e95a86ace23de606965"/>
       <metadataManagementGroup
                  name="OW"
                  groupID="a3508d2ae77d48a4ae160233898512ec"/> 
       <metadataManagementGroup
                  name="Extramural-Research"
                  groupID="2eab613d9bd646b7b98dae10c2ba766c"/>
      </arcgisPortalAdapter>

[aergul]

@torrin47 we've initially implemented using the REST API of the authentication service and we didn't get much more than the token and the username. Using ESRI libs, we get a bit further and are able to determine the user's full name as well as:

role: "org_publisher"
roleId: "jmc1ObdWfBTH6NAN"

I believe these indicate the user's role on the ArcGIS Online which most likely is unaware of the user's role in Geoportal Server. I could be wrong though, is there some mechanism that syncs or otherwise makes this info from EDG available to the EPA GeoPlatform?

If the answer is no, then I can imagine two alternatives: 1- We can make a call to EDG with the user's token to determine if the user is an EDG admin or publisher. We may need to erect a service for this if no API is readily available on the EDG side for this. 2- The services we will build to load/save a record from/to EDG can perform the check at that time. Somewhat less than ideal as the user won't know that they can actually load/save until attempting to do so.

Preference?

[torrin47]

You're correct that the role and roleId are specific to ArcGIS Online and aren't related to EDG functionality. EDG permissions are controlled entirely by "group" membership - and I'm guessing that if you are receiving the role for the user, you also see the user's groups? The groups listed above are the relevant ones - there are two master groups - publisher and admin - and then all the individual organizational groups. The EDG allows a user to log in and then makes a server-side call for the user details and compares group membership against the list we embed in the config file. What I've never investigated is whether there's an API on the EDG side that we can use to check whether a logged in user is recognized as in the right GeoPlatform groups. It seems like the kind of thing we ought to be able to delegate to the EDG rather than have to check separately, but I've not seen any documentation on this front. I guess this is your alternative #1. Does that help?

[aergul]

Well, the thing is we are authenticating against EPA GeoPlatform / ArcGIS Online which is not aware of EDG groups. We can worry about this when we get to #26 and #27.

This ticket has now been deployed to dev. To facilitate this, dirty checking has also been implemented to prevent navigation confirmation prompts convoluting authentication related navigation such as:

There may be some edge cases around dirty checks so emphasis will need to be on QA @jzichichi @torrin47 .

[jzichichi]

@aergul @torrin47 this worked well for me; I tested with login, without login, etc. The prompts all worked as I would have expected.

[torrin47]

Basic Login/logout works well. A couple of notes:

• Login option only displays on pageload. If a user initially continues without login or logs in and logs out, there's no way to trigger the login other than reloading the page. Can we add a Login button to either the title bar (where logout appears) or to the left-hand Load/View/Save menu?
• EPA Contact/sponsor disappears after login, but EPA Agreement is still visible - this should also disappear.

[aergul]

EPA Contact/sponsor addressed.

Login/logout flow is being implemented under #71