search

xcube-dev / xcube-viewer

A simple viewer component for xcube-server
MIT License
27 stars 9 forks source link

After Auth0 sign in, viewer not showing restricted datasets #149

Closed tiagoams closed 1 year ago

tiagoams commented 3 years ago

Hi,

The behaviour seen is that only unrestricted datsets are listed on the top bar after Auth0 login (scopes are not respected). I tested that the scopes are correct by using the flow for curl on the Auth0 page for the webapp created.

curl --request GET \
  --url https://datacube.cefas.co.uk/xcube/datasets \
  --header 'authorization: Bearer <token>

This either returns "demo" dataset if correctly authenticated with Client ID and secret or "demoold" if not (see config.yml below).

When I look at the network traffic after the Auth0 login I don't see the viewer requesting data from the API using a token. Shouldn't request 4 have a token?

1.
https://dev-h5f1i4sy.eu.auth0.com/u/login?state=<*****>
2.
https://datacube.cefas.co.uk/protected/redirect_uri?code=**************&state=**************
3.
https://datacube.cefas.co.uk/xcube/
4.
https://datacube.cefas.co.uk/xcube/datasets?details=1&tiles=ol4

The setup in .env.local is as follows:

REACT_APP_BRANDING=default
REACT_APP_TITLE=xcube Viewer (dev)
REACT_APP_XCUBE_API=https://datacube.cefas.co.uk/xcube
REACT_APP_AUTH0_DOMAIN=https://dev-h5f1i4sy.eu.auth0.com
REACT_APP_AUTH0_CLIENT_ID=**************************************
REACT_APP_AUTH0_AUDIENCE=https://datacube.cefas.co.uk/xcube/

config.yml

Authentication:
  Domain: dev-h5f1i4sy.eu.auth0.com
  Audience: https://datacube.cefas.co.uk/xcube/

Datasets:
  - Identifier: demo
(...)
    AccessControl:
      RequiredScopes:
       - read:dataset:demo
  - Identifier: demoold
(..)
    AccessControl:
      IsSubstitute: true

Version is 0.4.2 commit a2890a7b310ae1d8005dcce10ad4b97e7f67b27a (HEAD, tag: v0.4.2, origin/0.4.x)

forman commented 3 years ago

@tiagoams I guess we have to check your auth0 configuration. xcube server/viewer should work as expected, we have multiple instance running with similar configurations.

tiagoams commented 3 years ago

@forman Thanks, I am using the following configurations in Auth0:

Applications->APIs id: ***** used in REACT_APP_AUTH0_CLIENT_ID Name: datacube Identifier: https://datacube.cefas.co.uk/xcube/ used in REACT_APP_AUTH0_AUDIENCE

I have also tried Applications->Applications-> Regular Web application/Machine to Machine

AliceBalfanz commented 3 years ago

Hi @tiagoams, one thought, why the datasets might not be showing up in the viewer: Are the identifiers of the datasets configured according to the user group in your Auth0 management interface? I know, that each time we add a new dataset with a new identifier, we also need to make sure it is configured on Auth0 side.

tiagoams commented 3 years ago

Thanks @AliceBalfanz, I am sure something is missing on my Auth0 settings, but I also think that the curl test on my first post shows that the permissions are correct.

It is clear that xcube can authenticate well with Auth0 but there is no documentation on the OAuth workflow used by xcube+xviewer and the way to specify it in Auth0. What is the Auth0 workflow that must be chosen? The following applications are available: -Native, Single Page, Regular Web, Machine to machine

Additionaly I setup an "Auth0 Custom API" pointing to https://datacube.cefas.co.uk/xcube/

For completeness here are my settings regarding permissions: image