GraemeWatt
commented
3 years ago For the HEPData service (hepdata.net) we allow login with either CERN, ORCID, or local password, using the invenio-oauthclient package. We've had an issue (HEPData/hepdata#106) for the last five years where if a user has previously connected to their CERN account, but uses one of the other methods (ORCID or local password) to log in, they get an exception KeyError: 'Group' from this line of cern.py. We had hoped that this issue would be fixed in recent versions of invenio-oauthclient or when we moved to the new CERN SSO (merged PR HEPData/hepdata#343, but not yet deployed). But we still get a similar exception KeyError: 'cern_roles' from this line of cern_openid.py. These exceptions have generated complaints from HEPData users multiple times over the last five years. Would you be able to prioritise fixing this issue for a future invenio-oauthclient release?
ntarocco
Currently, CERN contribs (and probably others) relies on signals to perform login/logout operations. Unfortunately, all the contribs are "registered" on app init and they will all receive signals.
Problem
On login/logout, each contribs receive the signal and perform operations. The correct behaviour would be that only the contrib used to login should receive such signals. This is also creating an issue on logout: given that
invenio-oauthclientis not aware of which login method was used, the logout signal is emitted to all contribs and they all perform logout operations, causing issues in case of redirections.Possible solution
The solution could be to use DB information or add any extra information to store which was the authentication method used by the user. This could allow to stop firing signals to all contribs and emit only to the contrib used on login.