Closed Bug 1286611 Opened 8 years ago Closed 7 years ago

[PulseGuardian] Switch auth from Persona to auth0

Categories

(Webtools :: Pulse, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mcote, Assigned: camd)

References

Details

Attachments

(1 file)

48 bytes, text/x-github-pull-request
mcote
: review+
Details | Review
Persona is going away, so we'll need to switch our auth system.  Originally I wanted Pulse to be open to any Mozillian, but (a) we never did restrict login past plain Persona and (b) I don't think any non-employees (or at least anyone without LDAP) have used Pulse much.  Switching to Okta makes sense, for now at least.
Summary: Switch auth to Okta → [PulseGuardian] Switch auth to Okta
Summary: [PulseGuardian] Switch auth to Okta → [PulseGuardian] Switch auth from Persona to Okta
We'll be moving to TC auth, not directly to Okta.  And camd is doing the work. :)
Assignee: nobody → cdawson
Summary: [PulseGuardian] Switch auth from Persona to Okta → [PulseGuardian] Switch auth from Persona to TaskCluster auth
I'm actually hoping I can use Auth0 instead.  Still investigating with :kang
Hi Kang--  If you can add any info to help me get started with this here, that'd be awesome.  Thanks!
Flags: needinfo?(gdestuynder)
See Also: → 1315730
Summary: [PulseGuardian] Switch auth from Persona to TaskCluster auth → [PulseGuardian] Switch auth from Persona to auth0
hi,
we're currently getting ready to enroll new RP's like https://pulseguardian.mozilla.org (see https://mana.mozilla.org/wiki/display/SECURITY/SSO+Request+Form for ex)

Depending on your setup you could either implement OIDC directly in the app, that let employees and community alike login to the system (your choice), or front the service with a reverse-proxy that supports OIDC (example: http://testrp.security.allizom.org/)

We have some "test doc" at https://wiki.mozilla.org/User:Gdestuynder/test but that's going to a more proper location soon.
Flags: needinfo?(gdestuynder)
I just had a great conversation with Kang.  If we can put Nginx in front of gunicorn where Pulse Guardian is hosted, then we can specify certain URLs as "needing login" which would trigger hitting the Auth0 proxy so the use would be required to log in.  

In that scenario, we would not protect:
* https://pulseguardian.mozilla.org
* https://pulseguardian.mozilla.org/whats_pulse

And we WOULD require login on:
https://pulseguardian.mozilla.org/profile
https://pulseguardian.mozilla.org/all_pulse_users
https://pulseguardian.mozilla.org/queues

Once the proxy verified login, it would hand the token over to PG which would give info about the logged in user.

This is probably the easiest way to transition to auth0 from Persona.  The login button on the main page would just link to one of the protected urls (probably /profile) which would trigger the login page.

Mark: how is PG hosted?  Is it Heroku?  Sorry, I can't recall.
Flags: needinfo?(mcote)
Yeah it's on Heroku :-)

$ host pulseguardian.mozilla.org
pulseguardian.mozilla.org is an alias for shizuoka-2362.herokussl.com.
shizuoka-2362.herokussl.com is an alias for elb070734-491151387.us-east-1.elb.amazonaws.com.
elb070734-491151387.us-east-1.elb.amazonaws.com has address 107.20.209.145
elb070734-491151387.us-east-1.elb.amazonaws.com has address 54.235.196.143
elb070734-491151387.us-east-1.elb.amazonaws.com has address 23.21.218.66
Talked with Ed a bit about this in IRC and I found a blog post about using the Nginx static buildpack:
https://m.alphasights.com/using-nginx-on-heroku-to-serve-single-page-apps-and-avoid-cors-5d013b171a45#.pqx024ig0

A lot of that info is out of my brain's domain at the moment, but thought I'd link to it here so I don't forget.

It may end up just being easier to use the Flask auth0 library, if it's working ok.  Still investigating things.
Ed answered my question to mcote.
Flags: needinfo?(mcote)
Attached file Switch to Auth0
I've testes this quite a bit locally, but not on Heroku yet, of course.  If you think things look good, we can push it out there temporarily tomorrow.
Attachment #8813445 - Flags: review?(mcote)
Comment on attachment 8813445 [details] [review]
Switch to Auth0

Review left on the PR.
Attachment #8813445 - Flags: review?(mcote) → review-
Comment on attachment 8813445 [details] [review]
Switch to Auth0

Ok, I've made the review changes you requested.  Please have another look at your convenience.  Thanks.
Attachment #8813445 - Flags: review- → review?(mcote)
Comment on attachment 8813445 [details] [review]
Switch to Auth0

Yay!  Let's get this deployed as soon as possible.
Attachment #8813445 - Flags: review?(mcote) → review+
Sweet!  Thanks.  I already put the env vars into Heroku for this.  So as soon as we deploy, it should be good to go.  I'll check a couple things and then merge.
Pushed to production.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: