Closed xgp closed 1 year ago
We should also include in this a special choice for "Global" in the case where the user has the realm level roles required for onprem mode. This would be a separate button with some kind of context in the button like "You have permission to created IdPs for the entire Realm". This selection would also override whatever apiMode is set in the config when it is selected. |
|
---|---|
Global | |
You have permission to created IdPs for the entire Realm |
Select Organization |
---|
jeff's default organization |
--> org-abcd1234 |
Villefranche-sur-Mer |
--> org-abcd1234 |
Booyah chicken |
--> org-abcd1234 |
Sorry for the shi**y looking mockup ;). I'm thinking something like the create deployment buttons where there is some context in each button.
Ok some (dumb?) questions to make sure I'm looking at this in the right way:
~/workspace/phase-two/idp-wizard (main*) » ./util/portal-link-cloud.sh pnzr@pnzrs-MacBook-Pro
Host (format http://foo.com ): https://app.phasetwo.io
Realm: cloud
Username: jpatzer@gmail.com
Password: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1979 100 1895 100 84 2112 93 --:--:-- --:--:-- --:--:-- 2218
orgId: 5e2288c5-1867-4e13-9b35-824be46fa5cc
baseUri (e.g. http://localhost:9000/auth ): http://localhost:9000/auth
{"error":"HTTP 500 Internal Server Error"}%
tokenParsed
then backing into the Orgs + Roles for that. Sounds right? onprem
mode for testing? I think my Org setup is out of date or something has changed. I tried to regenerate a portal link for cloud, but was getting a 500 error
Try 5e2288c5-1867-4e13-9b35-824be46fa5cc
for your orgId. I think I deleted the old test org.
Where do I go to actually manage users for this realm?
https://app.phasetwo.io/auth/admin/cloud/console/
using your jpatzer@gmail.com
account
I can login with a basic user that has no organizations but some permissions
Take a look at the token once you get portal link working above. It should have the organizations.
Check I plan on doing is looking at tokenParsed then backing into the Orgs + Roles for that. Sounds right?
Correct. In the future, I may pull it from a different place (something in OIDC called userinfo
), so it would be nice to have the checking done behind some abstraction that could take the tokenParsed
for now, and the userinfo
in the future.
How does one toggle onprem mode for testing?
Two answers:
When the user first enters the wizard, we should check for their permissions in their tokenParsed
. The content of the token dictates the content of an "organization selector" that will be presented to them. (for roles reference, see src/app/hooks/useRoleAccess.ts
)
Selector options:
requiredResourceRoles
in their resource roles, display a "Global" option organizations
token claim, if the user has the requiredOrganizationRoles
for that organization, display an option with that organization's name.
org_id
in the claim or an org_id
http parameter in the request, and they have the requiredOrganizationRoles
for that organization, bypass the selector as if the organization specified in the org_id
was selected.Selection side effects:
onprem
, overriding the default from the config.cloud
, overriding the default from the config.Getting stonewalled on this login. I am very sure I'm using the right password. Wrong passwords give me a 401 - Not Authorized
while entering the right one is giving me a HTTP 500 Internal Server Error
Right password, getting 500
$ ./util/portal-link-cloud.sh
Host (format http://foo.com ): https://app.phasetwo.io
Realm: cloud
Username: jpatzer@gmail.com
Password: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1989 100 1895 100 94 2631 130 --:--:-- --:--:-- --:--:-- 2777
orgId: 5e2288c5-1867-4e13-9b35-824be46fa5cc
baseUri (e.g. http://localhost:9000/auth ): http://localhost:9090/auth
{"error":"HTTP 500 Internal Server Error"}%
Wrong password
$ ./util/portal-link-cloud.sh
Host (format http://foo.com ): https://app.phasetwo.io
Realm: cloud
Username: jpatzer@gmail.com
Password: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 164 100 72 100 92 119 152 --:--:-- --:--:-- --:--:-- 273
orgId: 5e2288c5-1867-4e13-9b35-824be46fa5cc
baseUri (e.g. http://localhost:9000/auth ): http://localhost:9000/auth
{"error":"HTTP 401 Unauthorized"}%
I was able to add my user to the organization, but can add roles to it via the Cloud Console. Can that be done via the keycloak Admin UI?
By no means done, but lots of plumbing to get this to this point
I think I need to adjust this after reading the description above again. No global for specific orgs, just the ability to pick them.
Global is just and onprem vs cloud setting
Correct. Global is standalone. Pick between orgs.
On Fri, Nov 18, 2022, at 5:57 AM, Jeff Patzer wrote:
I think I need to adjust this after reading the description above again. No global for specific orgs, just the ability to pick them.
Global is just and onprem vs cloud setting
— Reply to this email directly, view it on GitHub https://github.com/p2-inc/idp-wizard/issues/114#issuecomment-1319546286, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB3UHMJJRQHHDJSIMPU5ZTWI4EFJANCNFSM6AAAAAAQUSEPGY. You are receiving this because you authored the thread.Message ID: @.***>
Updated to do the following
apiMode
initially read from config (feature flags) then stuck into the store. Selecting an org will change that setting as well. General ? : what should we set the currentOrg
id to if the user picks global?
slight UI change to radio buttons
General ? : what should we set the currentOrg id to if the user picks global?
It doesn't need to be set, as it won't get used with onprem mode. Let me know if you see any problems with that.
Two comments on the modal: 1) It can't be dismissed, so lets remove the X in the corner 2) For the title , let's use "Choose your Organization"
X
dismissal buttonGeneral ? : what should we set the currentOrg id to if the user picks global?
It doesn't need to be set, as it won't get used with onprem mode. Let me know if you see any problems with that.
Shouldn't be. Was just trying to think through scenarios.
I think that covers a lot of the cases. I reread the ticket and didn't see any missing.
In
cloud
mode, if a user arrives withorganizations
claim, but noorg_id
claim: