Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconfigure core and ingest UI to use HCA auth0 #197

Closed
2 tasks
simonjupp opened this issue Sep 18, 2018 · 14 comments
Closed
2 tasks

Reconfigure core and ingest UI to use HCA auth0 #197

simonjupp opened this issue Sep 18, 2018 · 14 comments
Assignees
@rdgoite @aaclan-ebi
Labels
security Ticket concerns platform security

Comments

@simonjupp
Copy link
Contributor

simonjupp commented Sep 18, 2018
edited by justincc
Loading

  • Reconfigure core to use the HCA auth0 instead of Daniel's
  • Reconfigure UI to use the HCA auth0 as well
@simonjupp simonjupp added enhancement security Ticket concerns platform security labels Sep 18, 2018
@justincc
Copy link
Contributor

justincc commented Nov 27, 2018
edited
Loading

DCP DEMO on Tues 2018-12-04: Wranglers logging into in through UI to DCP auth. Only whitelisted users can access the system. Show that API is secured in the same way.

@justincc
Copy link
Contributor

justincc commented Dec 5, 2018

Needs to be done imminently since warnings are appearing on @danielvaughan 's free account

@justincc justincc assigned justincc, aaclan-ebi and rdgoite and unassigned justincc Dec 5, 2018
@justincc
Copy link
Contributor

justincc commented Dec 6, 2018
edited
Loading

Per discussion with @aaclan-ebi this is not straightforward. We have been using the OAuth2.0 implicit grant up to now since ingest UI is a pure browser-side Angular app, and so can't be trusted with client_secret.

However, it looks like DCP Auth requires use of OAuth 2.0 authorization code grant which gives out the client secret.

Interestingly the demo code section in the DCP auth doc says that client_secret can be made available publicly. I find this surprising in light of the above. @Bento007 please could you explain how this works?

[1] https://auth0.com/docs/api-auth/grant/implicit
[2] https://allspark.dev.data.humancellatlas.org/dcp-ops/docs/wikis/Security/Authentication%20and%20Authorization/Setting%20up%20DCP%20Auth
[3] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

@justincc justincc added the blocked We can't progress this ticket because some external factor is blocking us label Dec 6, 2018
@aaclan-ebi
Copy link
Collaborator

Regardless of grant we need to implement, @Bento007 could we request for a client id for the Ingest UI?

  • add Ingest UI as application in Auth0 (Single Page Application)
  • add the following as Allowed Callback URLs

http://localhost:4200/callback
http://ui.ingest.dev.data.humancellatlas.org/callback
https://ui.ingest.dev.data.humancellatlas.org/callback
http://ui.ingest.integration.data.humancellatlas.org/callback
https://ui.ingest.integration.data.humancellatlas.org/callback
http://ui.ingest.staging.data.humancellatlas.org/callback
https://ui.ingest.staging.data.humancellatlas.org/callback
http://ui.ingest.data.humancellatlas.org/callback
https://ui.ingest.data.humancellatlas.org/callback

@Bento007
Copy link
Member

Bento007 commented Dec 6, 2018

We are currently managing auth0 using auth0-deploy-cli. You can modify the configuration here https://github.com/HumanCellAtlas/dcp-infra/tree/master/auth0

@Bento007
Copy link
Member

Bento007 commented Dec 6, 2018

The client IDs and secrets are used to identify the application origin of the request. It not being used for secrecy. You should be able to use the https://auth.dev.data.humancellatlas.org/ to retrieve an access token for your webapp.

@justincc justincc removed the blocked We can't progress this ticket because some external factor is blocking us label Dec 10, 2018
@justincc justincc changed the title Transfer ingest UI to use HCA Auth0 Reconfigure core and ingest UI to use HCA auth0 Jan 2, 2019
@justincc
Copy link
Contributor

justincc commented Jan 2, 2019

Need a Google Service Account for DCP integration test to authenticate with ingest now. Going to ask for this in the tech arch meeting on 2019-01-03

@justincc
Copy link
Contributor

justincc commented Jan 2, 2019

Possible blocker is that dcp-diag may also need to update for change in the auth0 endpoint. I hear that you were going to look at this @sampierson?

@sampierson
Copy link
Member

Yes @justincc , dcp-diag uses the same kind of IngestAuthAgent code that the integration tests do.

Also if we are to switch Upload from connecting directly to RabbitMQ and use an API instead, Upload will need this code in future.

@justincc
Copy link
Contributor

justincc commented Jan 2, 2019

The upload API endpoints are covered under upload-service#245. Can I create a similar ticket in dcp-diag so I don't lose track?

@sampierson
Copy link
Member

Yes, please do. Thanks!

@justincc
Copy link
Contributor

justincc commented Jan 2, 2019

HumanCellAtlas/dcp-diag#8

@justincc
Copy link
Contributor

UI changes or alternative covered in #285

@aaclan-ebi
Copy link
Collaborator

Changes are pushed to production. https://github.com/HumanCellAtlas/ingest-kube-deployment/blob/master/production/changelog.md#29-january-2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rdgoite rdgoite

@aaclan-ebi aaclan-ebi

Labels
security Ticket concerns platform security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@justincc @rdgoite @simonjupp @sampierson @Bento007 @aaclan-ebi