Closed
Bug 1286611
Opened 8 years ago
Closed 7 years ago
[PulseGuardian] Switch auth from Persona to auth0
Categories
(Webtools :: Pulse, defect, P1)
Webtools
Pulse
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mcote, Assigned: camd)
References
Details
Attachments
(1 file)
Persona is going away, so we'll need to switch our auth system. Originally I wanted Pulse to be open to any Mozillian, but (a) we never did restrict login past plain Persona and (b) I don't think any non-employees (or at least anyone without LDAP) have used Pulse much. Switching to Okta makes sense, for now at least.
Reporter | ||
Updated•8 years ago
|
Summary: Switch auth to Okta → [PulseGuardian] Switch auth to Okta
Updated•8 years ago
|
Summary: [PulseGuardian] Switch auth to Okta → [PulseGuardian] Switch auth from Persona to Okta
Reporter | ||
Comment 2•8 years ago
|
||
We'll be moving to TC auth, not directly to Okta. And camd is doing the work. :)
Assignee: nobody → cdawson
Summary: [PulseGuardian] Switch auth from Persona to Okta → [PulseGuardian] Switch auth from Persona to TaskCluster auth
Assignee | ||
Comment 3•8 years ago
|
||
I'm actually hoping I can use Auth0 instead. Still investigating with :kang
Assignee | ||
Comment 4•8 years ago
|
||
Hi Kang-- If you can add any info to help me get started with this here, that'd be awesome. Thanks!
Flags: needinfo?(gdestuynder)
Assignee | ||
Updated•8 years ago
|
Summary: [PulseGuardian] Switch auth from Persona to TaskCluster auth → [PulseGuardian] Switch auth from Persona to auth0
hi, we're currently getting ready to enroll new RP's like https://pulseguardian.mozilla.org (see https://mana.mozilla.org/wiki/display/SECURITY/SSO+Request+Form for ex) Depending on your setup you could either implement OIDC directly in the app, that let employees and community alike login to the system (your choice), or front the service with a reverse-proxy that supports OIDC (example: http://testrp.security.allizom.org/) We have some "test doc" at https://wiki.mozilla.org/User:Gdestuynder/test but that's going to a more proper location soon.
Flags: needinfo?(gdestuynder)
Assignee | ||
Comment 6•8 years ago
|
||
I just had a great conversation with Kang. If we can put Nginx in front of gunicorn where Pulse Guardian is hosted, then we can specify certain URLs as "needing login" which would trigger hitting the Auth0 proxy so the use would be required to log in. In that scenario, we would not protect: * https://pulseguardian.mozilla.org * https://pulseguardian.mozilla.org/whats_pulse And we WOULD require login on: https://pulseguardian.mozilla.org/profile https://pulseguardian.mozilla.org/all_pulse_users https://pulseguardian.mozilla.org/queues Once the proxy verified login, it would hand the token over to PG which would give info about the logged in user. This is probably the easiest way to transition to auth0 from Persona. The login button on the main page would just link to one of the protected urls (probably /profile) which would trigger the login page. Mark: how is PG hosted? Is it Heroku? Sorry, I can't recall.
Flags: needinfo?(mcote)
Comment 7•8 years ago
|
||
Yeah it's on Heroku :-) $ host pulseguardian.mozilla.org pulseguardian.mozilla.org is an alias for shizuoka-2362.herokussl.com. shizuoka-2362.herokussl.com is an alias for elb070734-491151387.us-east-1.elb.amazonaws.com. elb070734-491151387.us-east-1.elb.amazonaws.com has address 107.20.209.145 elb070734-491151387.us-east-1.elb.amazonaws.com has address 54.235.196.143 elb070734-491151387.us-east-1.elb.amazonaws.com has address 23.21.218.66
Assignee | ||
Comment 8•8 years ago
|
||
Talked with Ed a bit about this in IRC and I found a blog post about using the Nginx static buildpack: https://m.alphasights.com/using-nginx-on-heroku-to-serve-single-page-apps-and-avoid-cors-5d013b171a45#.pqx024ig0 A lot of that info is out of my brain's domain at the moment, but thought I'd link to it here so I don't forget. It may end up just being easier to use the Flask auth0 library, if it's working ok. Still investigating things.
Assignee | ||
Comment 10•7 years ago
|
||
I've testes this quite a bit locally, but not on Heroku yet, of course. If you think things look good, we can push it out there temporarily tomorrow.
Attachment #8813445 -
Flags: review?(mcote)
Reporter | ||
Comment 11•7 years ago
|
||
Comment on attachment 8813445 [details] [review] Switch to Auth0 Review left on the PR.
Attachment #8813445 -
Flags: review?(mcote) → review-
Assignee | ||
Comment 12•7 years ago
|
||
Comment on attachment 8813445 [details] [review] Switch to Auth0 Ok, I've made the review changes you requested. Please have another look at your convenience. Thanks.
Attachment #8813445 -
Flags: review- → review?(mcote)
Reporter | ||
Comment 13•7 years ago
|
||
Comment on attachment 8813445 [details] [review] Switch to Auth0 Yay! Let's get this deployed as soon as possible.
Attachment #8813445 -
Flags: review?(mcote) → review+
Assignee | ||
Comment 14•7 years ago
|
||
Sweet! Thanks. I already put the env vars into Heroku for this. So as soon as we deploy, it should be good to go. I'll check a couple things and then merge.
Assignee | ||
Comment 15•7 years ago
|
||
Pushed to production.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•