ontoportal / ontoportal-project

OntoPortal Alliance centralized repository for the management of the OntoPortal project
https://ontoportal.org/
3 stars 1 forks source link

Ontoportal SSO feature #26

Closed syphax-bouazzouni closed 10 months ago

syphax-bouazzouni commented 1 year ago

Context

We are working currently at Agroportal with Ecoportal to align our two codebases; which means resting extracting reusable features from both codebases and sharing them with Ontoportal.

For example, EcoPortal developed an administration panel for groups and categories (to add, edit and delete them) that we extracted from Ecoportal and integrated into Agroprtal (and soonly shared with Ontoportal, see https://github.com/ontoportal-lirmm/bioportal_web_ui/pull/237)

In that context, we also discovered that EcoPortal implemented an SSO implementation, which we think can be a great contribution to Ontoportal.

This implementation includes those changes:

The developer of this is @manuelfiorelli from the Ecoportal team.

syphax-bouazzouni commented 1 year ago

Hi @manuelfiorelli, can you please give more details of how it works, and what is needed to make it work?

manuelfiorelli commented 1 year ago

The implementation of single sign-on (SSO) in EcoPortal relies on the OAuth 2.0 and OpenID Connect standards. The current deployment in a development environment uses Keycloak as the actual identity and access management software that implements both standards, playing the role of the authorization server.

Both the web UI and and the API were modeled in the authorization server as client, each with its own set of client credentials:

In EcoPortal, we externalized authentication and login management to the authorization server, while keeping the internal user management and api key to avoid disrupting the architecture. After the login phase, most of EcoPortal runs unmodified.

By first, SSO must be enabled, by setting the global variable $SSO_ENABLED to true and providing the necessary configurations at the UI and API levels.

If SSO is enabled, the login procedure changes slightly. If you look at config/routes.rb, you can see that login and logout are served by a different controller dedicated to OAuth 2.0.

Upon login, the Oauth2Controller initiates the interaction with the authorization server, by asking an authorization code: the controller redirects the user to the authorization server, allowing the user to login if not already logged in (hence, SSO), and then redirecting the user to a callback URL in the web UI together with the requested authorization code.

After performing some security checks (including validating some nonces to avoid some common attacks), the callback implementation uses the authorization code to request (in a backend channell) an access token for the web UI client. This access token is then used to invoke the users/authenticate API, replacing the usual user credentials.

If SSO is enabled, the implementation of the endpoint users/authenticate is changed accordingly. The idea is that the API validates the supplied access token, obtaining:

Beyond login, the 'Oauth2Controller` also implements RP-initialed logout, so that one a users logs out from EcoPortal it closes also the session in the authorization server.

syphax-bouazzouni commented 1 year ago

Hi @manuelfiorelli, thanks for this detailed explanation.

So If I understood well,

  1. You have added for Lifewatch an external authentification server (to share the same authentication system with all the applications of the organization including Ecoportal), using this tool Keycloak (Lifewatch-Ecoportal specific)

  2. If the global variable $SSO_ENABLED is set to true, now the UI login link redirects users to your Keycloak server that returns a callback with the token of the authenticated user (and other information about him).

  3. That token received in the UI is then sent to the API which tries to decode it. If successful the user is connected (and created if first time connection)

On the UI side, you used this package https://github.com/nov/openid_connect (to contact the Authorization server) On the backend, you used this package https://github.com/oauth-xx/oauth2 (to decode the Token)

I think the implementation is good, and that we can integrate to Agroprotal (@jonquet). But in the condition that it is generalized to work with multiple Authorization servers (identity providers), Self-hosted organizational authorization servers, Github, and ORCID.

So do you think @manuelfiorelli, that you can update it (easily) to make it work with the multiple authorization servers (in priority for Github)

image
syphax-bouazzouni commented 1 year ago

@jvendetti if we make it work for Github, do you have any requirements and/or remarks to give us; regarding your parallel work on GitHub request changes?

jonquet commented 1 year ago

I think the implementation is good, and that we can integrate to Agroprotal (@jonquet). But in the condition that it is generalized to work with multiple Authorization servers (identity providers), Self-hosted organizational authorization servers, Github, and ORCID.

This will be my opinion too. @manuelfiorelli we know it's a bit more time and work to generalize to "other" possible situation in the Alliance... but that's really what makes the difference. If you have a chance to do it, would be very nice.

jvendetti commented 1 year ago

@jvendetti if we make it work for Github, do you have any requirements and/or remarks to give us; regarding your parallel work on GitHub request changes?

When I generate a GitHub issue from the Rails application, I'm interested in some way to know if the logged in user has a GitHub account name. The idea is that the body of the GitHub issue could incorporate their GitHub account name with GitHub's mention syntax, e.g., something like:

This request was issued from OnotPortal by @syphax-bouazzouni

We're interested in using the mention syntax so that we can take advantage of GitHub's built-in notifications. Currently we output the BioPortal account name in issue bodies, but the GitHub account name would be preferable:

Screen Shot 2023-06-02 at 12 42 48 PM

Please let me know if you'd like any additional details.

syphax-bouazzouni commented 10 months ago

Close as done in https://github.com/ontoportal-lirmm/bioportal_web_ui/releases/tag/v2.7.0, discussion about merging it to the main Ontoportal branch will be discussed here https://github.com/ontoportal/ontoportal-project/issues/37