Bug 1566190 Comment 18 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

I've looked through TH code and the implementation of the new authorization-flow and I have more questions:

What it appears we're currently doing in TH when a user hits the login button is (simplified): 
1) in frontend, request access_token via auth0 web client
2) Once we have the token, which we store in browser as userSession, we include it in headers and call our auth/login API
3) In the backend, we use header info to call the auth0 jwt validator, to validate the token and get user details
4) That info as also used to query a user in our db, and is used for session management - user info is returned
5) credentials/access_token is verified in frontend via the taskcluster-web-client's OIDCCredentialAgent method when TC actions are performed

So, what it looks like I need to change is:
1) in frontend, request authorization code via <rootUrl>/login/oauth/authorize
2) using that code, request token via <rootUrl>/login/oauth/token
4) instead of in the backend, in the frontend will query <rootUrl>/login/oauth/credentials to verify token and get credentials; store those in the browser userSession, indexed by rootUrl
   - then we would need to pass pertinent info re session expiry, username and email to the backend auth/login in order to return the user details as before (being careful not to pass access_token per the [guidelines](https://docs.taskcluster.net/docs/manual/using/integration/guidelines#careful-with-credentials))
5) create an instance of taskcluster.Auth, passing in credentials and rootUrl params that is called when TC actions are performed

The actual questions:
- Does that sound right?
- Should the firefox-ci credentials always be retrieved when a user hits the login button, and community-ci/servo only if a user tries to perform a TC action on that particular repo (if not previously stored)?
I've looked through TH code and the implementation of the new authorization-flow and I have more questions:

What it appears we're currently doing in TH when a user hits the login button is (simplified): 
1) in frontend, request access_token via auth0 web client
2) Once we have the token, which we store in browser as userSession, we include it in headers and call our auth/login API
3) In the backend, we use header info to call the auth0 jwt validator, to validate the token and get user details
4) That info as also used to query a user in our db, and is used for session management - user info is returned
5) credentials/access_token is verified in frontend via the taskcluster-web-client's OIDCCredentialAgent method when TC actions are performed

So, what it looks like I need to change is:
1) in frontend, request authorization code via <rootUrl>/login/oauth/authorize
2) using that code, request token via <rootUrl>/login/oauth/token
4) instead of in the backend, in the frontend will query <rootUrl>/login/oauth/credentials to verify token and get credentials; store those in the browser userSession, indexed by rootUrl
   - then we would need to pass pertinent info re session expiry, username and email to the backend auth/login in order to return the user details as before (being careful not to pass access_token per the [guidelines](https://docs.taskcluster.net/docs/manual/using/integration/guidelines#careful-with-credentials))
5) create an instance of taskcluster.Auth, passing in credentials and rootUrl params that is called when TC actions are performed

The actual questions:
- Does that sound right?
- Should the firefox-ci credentials always be retrieved when a user hits the login button, and community-ci/servo only if a user tries to perform a TC action on that particular repo (for the first time that happens, if not previously stored)?
I've looked through TH code and the implementation of the new authorization-flow and I have more questions:

What it appears we're currently doing in TH when a user hits the login button is (simplified): 
1) in frontend, request access_token via auth0 web client
2) Once we have the token, which we store in browser as userSession, we include it in headers and call our auth/login API
3) In the backend, we use header info to call the auth0 jwt validator, to validate the token and get user details
4) That info as also used to query a user in our db, and is used for session management - user info is returned
5) credentials/access_token is verified in frontend via the taskcluster-web-client's OIDCCredentialAgent method when TC actions are performed

So, what it looks like I need to change is:
1) in frontend, request authorization code via <rootUrl>/login/oauth/authorize
2) using that code, request token via <rootUrl>/login/oauth/token
3) instead of in the backend, in the frontend will query <rootUrl>/login/oauth/credentials to verify token and get credentials; store those in the browser userSession, indexed by rootUrl
4) then we would need to pass pertinent info re session expiry, username and email to the backend auth/login in order to return the user details as before (being careful not to pass access_token per the [guidelines](https://docs.taskcluster.net/docs/manual/using/integration/guidelines#careful-with-credentials))
5) create an instance of taskcluster.Auth, passing in credentials and rootUrl params that is called when TC actions are performed

The actual questions:
- Does that sound right?
- Should the firefox-ci credentials always be retrieved when a user hits the login button, and community-ci/servo only if a user tries to perform a TC action on that particular repo (for the first time that happens, if not previously stored)?
- When the TC credentials expire, do we need to do step 3 or steps 1-3?

Back to Bug 1566190 Comment 18