Add token auth support for iRODS login and IGV session views for OIDC users

[mikkonie]

SODAR Core v1.0 introduces OIDC (OpenID Connect) authentication support for the Django server. This allows us to authenticate against e.g. LS AAI (formerly Elixir) in public SODAR instances.

Alas, iRODS has its own logins and we need to support those as well. There is no native OIDC support for iRODS and as a non-web-based system, adding such a solution would be hacky at best.

However, we already have the custom PAM module for iRODS, which is used in authenticating against SODAR if no LDAP servers are available. We could use a similar solution to authenticate with SODAR with a token provided by the SODAR server. I will write a spec related to that below.

This will also need work in github/irods-docker and github/sodar-docker-compose. At the time of writing, the custom PAM module is broken in my WIP iRODS 4.3 image. This needs to be debugged.. I will link relevant issues here.

Spec

• Enable OIDC in SODAR server
• Provide token for OIDC users
  • Use Knox tokens
  • Instruct user clearly in the UI (and docs) on how to obtain the token, if they are an OIDC user
• In the local SODAR auth API view, allow providing token in place of password
  • Need to provide username in order to verify to iRODS which user is attempting to authenticate
  • Alternatively, we could use a __token__ username and return the real username in the response, but that's more work. Maybe add it later if requested.
• Could also use another endpoint if needed, but probably easiest to do it with the existing LocalAuthAPIView
• Also add token support for IGV session file URLs
  • Probably we somehow have to override FallbackToAuthBasicMiddleware instead of working directly in views
• Add Django warning if OIDC is enabled but the tokens app plugin is disabled

Tasks

• [x] Add token-based login logic to BasicAuthView (formerly LocalAuthAPIView)
• [x] Add view tests for BasicAuthView
• [x] Add token support to IGVSessionFileRenderView x2
• [x] Add view and permission tests for IGV views
• [x] Add UI elements to irodsinfo
• [x] Add UI tests
• [x] Add Django warning if tokens is disabled
• [x] Add user documentation
• [x] Add admin documentation for enabling OIDC Documented in SODAR Core, already linked in admin docs

[mikkonie]

I now have this technically working for the iRODS login. Alas, there are challenges in writing an universal solution for both the irodsbackend auth view and the study plugin IGV views. The implementation used in the latter requires the user to login. I haven't figured out a way to login the user authenticating with knox from inside the middleware wrapper. It basically always ends up with a 401, even though the user is successfully authenticated.

I can simply return a 200 response from process_request(), but that skips all the checks etc in the view class. Not optimal either.

Technically, none of these views require the user to stay logged in, as they're one-time requests. However, skipping the login might require a lot of needless rewriting of stuff currently in our handy mixins.

I'll sleep on it, probably there is a straightforward solution I simply can't think of now..

[mikkonie]

Previous problems with login are fixed. It required 1) setting user.backend to the Django model backend and setting the base view in the iRODS auth view to View instead of APIView. The latter logs the user out silently even after a successful login in the middleware. I'm not entirely sure why, but there you go.

I also did the very breaking change of updating the method of BasicAuthView to GET, because POST was creating its own problems. Not quite sure why I went with POST to begin with.

Next up: writing tests for the IGV XML serving views (I already verified they work in dev, but they should be tested)

[mikkonie]

Done.