search

jhu-bids / TermHub

Web app and CLI tools for working with biomedical terminologies. https://github.com/orgs/jhu-bids/projects/9/views/7
https://bit.ly/termhub
GNU General Public License v3.0
8 stars 10 forks source link

User authentication #548

Open joeflack4 opened 10 months ago

joeflack4 commented 10 months ago

Update 2023-09-22

As of 274fa80, we got it working on localhost, but commented it out. See the notes for that commit for next steps, if we ever implement this.

Overview

We want to be able to have users log into TermHub using their N3C Data Enclave credentials. User authentication allows us to build in new functionality, and using N3C as the auth provider is the only way to authorize TermHub to make actions on behalf of the user.

Notes

Ostensibly this will involve the Foundry application SDK. That page has a setup guide and examples in Python and TypeScript.

For example, we imagine that the SDK should provide a way to access the multiPassId or call an action on behalf of the user and pass the authed users's multiPassId through.

Installation appears to be a little different for this SDK: pip install termhub_sdk --upgrade --extra-index-url "https://:$[FOUNDRY_SDK_AUTH_TOKEN@unite.nih.gov](mailto:FOUNDRY_SDK_AUTH_TOKEN@unite.nih.gov)/artifacts/api/repositories/ri.artifacts.main.repository.10d521f8-7ba3-42d8-a0af-9736d1ea3bd9/contents/release/pypi/simple"

Maya Choudhury thinks we may need an existing setup like this or this, but I'm not 100% sure about that.

9/20 Maya linked new boilerplate example for Python.

Links

Questions

  1. Will this SDK really work for our use case? Will it allow us to do stuff on behalf of other users? If not, maybe the only way is for us to set up our own standard TermHub auth and have the user give us their token.
  2. Do we need to reinstall the SDK whenever FOUNDRY_SDK_AUTH_TOKEN expires? If so, it doesn't sound like we can use this. How often does it expire? Can we know that in advance? Perhaps we'd need to decouple and deploy a separate auth server to deal with that, rather than deploy a new version of TermHub each time.

Related

Replaces:

Sigfried commented 10 months ago

The Palantir instructions seem to have changed. I'm supposed to set up a pair programming session with Maya to get help getting it to work. Commented out for now.

joeflack4 commented 9 months ago

How it works: Click a button, reroutes you to enlave login page. Then that sends you to a redirect URL. At that point your app has access to auth token. Then we send that to the backend to do everything as that user. Or we could achieve some of those things using the service token and multipass id.