User friendly token acquisition

[awdeorio]

The present instructions for obtaining an authentication token are arcane. It would be great if this process were more user friendly.

Note that the autograder uses OAuth2 with Google's SSO.

[japplefield]

I think I figured out how the AG does authentication:

1. Front-end makes a request to https://autograder.io/api/users/current/ . If the request returns a 401 then it redirects the user to https://accounts.google.com/o/oauth2/... It gets this URL from the WWW-Authenticate field of the 401's response header.
2. That URL the user was redirected has in the query parameters a redirect_uri and a client_id. Google does lots of fun stuff to authenticate here.
3. Eventually Google sends a request back to https://autograder.io/api/oauth2callback/. Included in this request is a query parameter called code. The AG uses the oauth2client library to create an OAuth2Credentials object using that code parameter and the data from a secrets file stored on the AG server.
4. The AG server makes a request to Google's People API find the email of whoever that code belongs to, using the OAuth2Credentials object it just made to authenticate the request.
5. The AG takes the email address and uses Django Rest Framework (https://www.django-rest-framework.org/api-guide/authentication/) to get a token for an existing user or create a token for a new user. It sets a cookie called token (this is the token we care about).

[japplefield]

https://developers.google.com/identity/sign-in/web/server-side-flow has a good diagram https://developers.google.com/identity/protocols/oauth2/web-server#userconsentprompt explains the actual login process in use with OAuth 2.0

[japplefield]

An initial (and certainly not sustainable) attempt underway in https://github.com/eecs485staff/agio-cli/tree/login-gui

• Prompts user for username and password
• Uses selenium to log in
• Extracts token from cookie and saves to ~/.agtoken

It likely will only work if duo is configured to automatically push to a device, or if there is only one device set up with duo (since it tries to push the "Send me a push" button.

[awdeorio]

I think this is a high priority. A good rule of thumb is that a tool should do something "out of the box". If there's a barrier to getting started, people simply won't use the tool.

[awdeorio]

This is easy now that there's a new feature on the autograder! From James Perretta:

Alrighty, I just deployed this change along with this semester's major release. You can now go to https://autograder.io/web/__apitoken__ and be prompted to download a file with your token in it. You can also send a DELETE request to the /api/users/current/revoke_api_token/ endpoint to revoke your token. This information is also included in the API documentation (https://autograder.io/api/docs)