Org selector

[xgp]

In cloud mode, if a user arrives with organizations claim, but no org_id claim:

1. check all orgs to see if they have the appropriate permissions for any orgs
2. if they have only one org with permission, auto select that one, and set it as the selected one (currently, i believe this is coming from the jwt, so there would need to be some local state for this)
3. if they have multiple orgs with permission, present an organization selector overlay modal (For which Organization are you configuring an Identity Provider? list of organizations' names and display names), and then set local state based on that selection.
4. indicate which organization they have selected beneath the logo
5. allow changing the selection?

[xgp]

We should also include in this a special choice for "Global" in the case where the user has the realm level roles required for onprem mode. This would be a separate button with some kind of context in the button like "You have permission to created IdPs for the entire Realm". This selection would also override whatever apiMode is set in the config when it is selected.
Global
You have permission to created IdPs for the entire Realm

Select Organization
jeff's default organization
--> org-abcd1234
Villefranche-sur-Mer
--> org-abcd1234
Booyah chicken
--> org-abcd1234

Sorry for the shi**y looking mockup ;). I'm thinking something like the create deployment buttons where there is some context in each button.

[jeffpatzer]

Ok some (dumb?) questions to make sure I'm looking at this in the right way:

• I think my Org setup is out of date or something has changed. I tried to regenerate a portal link for cloud, but was getting a 500 error

~/workspace/phase-two/idp-wizard (main*) » ./util/portal-link-cloud.sh                     pnzr@pnzrs-MacBook-Pro
Host (format http://foo.com ): https://app.phasetwo.io
Realm: cloud
Username: jpatzer@gmail.com
Password:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1979  100  1895  100    84   2112     93 --:--:-- --:--:-- --:--:--  2218
orgId: 5e2288c5-1867-4e13-9b35-824be46fa5cc
baseUri (e.g. http://localhost:9000/auth ): http://localhost:9000/auth
{"error":"HTTP 500 Internal Server Error"}%        

• I can login with a basic user that has no organizations but some permissions. Where do I go to actually manage users for this realm? (I feel like I should have asked that a long time ago so I could manage the test user(s) easier)

• Check I plan on doing is looking at tokenParsed then backing into the Orgs + Roles for that. Sounds right?
• How does one toggle onprem mode for testing?

[xgp]

I think my Org setup is out of date or something has changed. I tried to regenerate a portal link for cloud, but was getting a 500 error

Try 5e2288c5-1867-4e13-9b35-824be46fa5cc for your orgId. I think I deleted the old test org.

Where do I go to actually manage users for this realm?

https://app.phasetwo.io/auth/admin/cloud/console/ using your jpatzer@gmail.com account

I can login with a basic user that has no organizations but some permissions

Take a look at the token once you get portal link working above. It should have the organizations.

Check I plan on doing is looking at tokenParsed then backing into the Orgs + Roles for that. Sounds right?

Correct. In the future, I may pull it from a different place (something in OIDC called userinfo), so it would be nice to have the checking done behind some abstraction that could take the tokenParsed for now, and the userinfo in the future.

How does one toggle onprem mode for testing?

Two answers:

1. For expedience, just hard code it
2. One side-effect of this selector is that it obviates the need for the "mode". I'm afraid this wasn't clear from my description earlier. Let me try again:

When the user first enters the wizard, we should check for their permissions in their tokenParsed. The content of the token dictates the content of an "organization selector" that will be presented to them. (for roles reference, see src/app/hooks/useRoleAccess.ts)

Selector options:

• If the user has the requiredResourceRoles in their resource roles, display a "Global" option
• For each organization in the user's organizations token claim, if the user has the requiredOrganizationRoles for that organization, display an option with that organization's name.
  • If the user arrives with an org_id in the claim or an org_id http parameter in the request, and they have the requiredOrganizationRoles for that organization, bypass the selector as if the organization specified in the org_id was selected.

Selection side effects:

• If the user selects the Global option, the mode should be set to onprem, overriding the default from the config.
• If the user selects one of the organization options, the mode should be set to cloud, overriding the default from the config.

[jeffpatzer]

Getting stonewalled on this login. I am very sure I'm using the right password. Wrong passwords give me a 401 - Not Authorized while entering the right one is giving me a HTTP 500 Internal Server Error

Right password, getting 500

$ ./util/portal-link-cloud.sh
Host (format http://foo.com ): https://app.phasetwo.io
Realm: cloud
Username: jpatzer@gmail.com
Password:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1989  100  1895  100    94   2631    130 --:--:-- --:--:-- --:--:--  2777
orgId: 5e2288c5-1867-4e13-9b35-824be46fa5cc
baseUri (e.g. http://localhost:9000/auth ): http://localhost:9090/auth
{"error":"HTTP 500 Internal Server Error"}%   

Wrong password

$ ./util/portal-link-cloud.sh       
Host (format http://foo.com ): https://app.phasetwo.io
Realm: cloud
Username: jpatzer@gmail.com
Password:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   164  100    72  100    92    119    152 --:--:-- --:--:-- --:--:--   273
orgId: 5e2288c5-1867-4e13-9b35-824be46fa5cc
baseUri (e.g. http://localhost:9000/auth ): http://localhost:9000/auth
{"error":"HTTP 401 Unauthorized"}%       

[jeffpatzer]

I was able to add my user to the organization, but can add roles to it via the Cloud Console. Can that be done via the keycloak Admin UI?

[jeffpatzer]

[jeffpatzer]

[jeffpatzer]

By no means done, but lots of plumbing to get this to this point

[jeffpatzer]

I think I need to adjust this after reading the description above again. No global for specific orgs, just the ability to pick them.

Global is just and onprem vs cloud setting

[xgp]

Correct. Global is standalone. Pick between orgs.

On Fri, Nov 18, 2022, at 5:57 AM, Jeff Patzer wrote:

I think I need to adjust this after reading the description above again. No global for specific orgs, just the ability to pick them.

Global is just and onprem vs cloud setting

— Reply to this email directly, view it on GitHub https://github.com/p2-inc/idp-wizard/issues/114#issuecomment-1319546286, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB3UHMJJRQHHDJSIMPU5ZTWI4EFJANCNFSM6AAAAAAQUSEPGY. You are receiving this because you authored the thread.Message ID: @.***>

[jeffpatzer]

[jeffpatzer]

[jeffpatzer]

Updated to do the following

• Autopick Org based on selection
• Autoshow the picker (if no org could have been picked). If there are no orgs available based on role, then what can the user actually do? Or should they do
• apiMode initially read from config (feature flags) then stuck into the store. Selecting an org will change that setting as well.

General ? : what should we set the currentOrg id to if the user picks global?

[jeffpatzer]

slight UI change to radio buttons

[xgp]

General ? : what should we set the currentOrg id to if the user picks global?

It doesn't need to be set, as it won't get used with onprem mode. Let me know if you see any problems with that.

[xgp]

Two comments on the modal: 1) It can't be dismissed, so lets remove the X in the corner 2) For the title , let's use "Choose your Organization"

[jeffpatzer]

• Removed the X dismissal button
• Changed the title.
• Can't use "escape" button to close either.
• Removed "Cancel" button
• Only way to "exit" the modal is to pick an organization.

General ? : what should we set the currentOrg id to if the user picks global?

It doesn't need to be set, as it won't get used with onprem mode. Let me know if you see any problems with that.

Shouldn't be. Was just trying to think through scenarios.

I think that covers a lot of the cases. I reread the ticket and didn't see any missing.