mock up user flow for login

[bodom0015]

Hey, hope I'm not stepping on any toes here! :X

I've been working on some bits related to this for #106 Here is a quick sample of the login/logout flow that we've set up on the server-side

Not sure how this might affect the mockup flow or if there is more to think about here, but just wanted to share this early so that it jives with how we're thinking about this stuff :)

Features

• Deployed OAuth2 Proxy server here: https://mmli1.ncsa.illinois.edu
• This provides an easy way to start the OAuth chain with /oauth2/start
• The rd parameter can be used to redirect the user after their login or logout
• Keycloak is used for OIDC and user+group+session management - offers features to Login or Register a New Account (if we choose to allow user to signup here)
• OIDC allows us to use CILogon, which would let users log in with University credentials

Sample Login / Logout Flow

1. To login: navigate to https://mmli1.ncsa.illinois.edu/oauth2/start?rd=/oauth2/userinfo
   • User is redirected to Keycloak to login or create an account
   • We can allow users to Login with CILogon to use the platform with an existing account (e.g. University credentials, Google, etc)
   • After login, rd parameter redirects us to /oauth2/userinfo
2. To use APIs after authenticating:
   • After login, we include an _oauth2_proxy cookie with each API request
   • By sending this cookie back to /oauth2/userinfo, we can retrieve the username, email, groups, etc
   • Cookie should be valid for all subdomains where our software products are running
   • Cookie has an expiration date and is encrypted, cannot be decoded or manipulated directly like a JWT can
3. To logout: navigate to https://mmli1.ncsa.illinois.edu/oauth2/sign_out?rd=/oauth2/userinfo
   • After logout, _oauth2_proxy cookie is removed from your browser
   • We now get back 401: Unauthorized from the userinfo endpoint
   • After logout, rd parameter redirects us to /oauth2/userinfo