Closed Bug 867223 Opened 11 years ago Closed 11 years ago

[meta] SSO for webmaker.org apps

Categories

(Webmaker Graveyard :: webmaker.org, defect)

Product:
Webmaker Graveyard
Component:
webmaker.org
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: sedge, Unassigned)

References

Details

(Whiteboard: u=dev p=1 s=2013w20) 

In order to leverage the full benefits of an SSO system, a shared sessionCookie must be used by all Webmaker services and tools.  For this to work, they must all be hosted on the same root domain, and read/write the same cookie for session management.
Assignee: nobody → kieran.sedgwick
That should be OK, as long as we make sure to open the published "make" in a separate window and are happy to not have the sessionCookie work there.
Whiteboard: u=dev c=login p=1 s=2013w18 → u=dev c=webmaker.org p=1 s=2013w18
If the MakeAPI is going to use this for authenticated requests, the cookie must provide at least:

a) the user's email address
b) the users account type (admin/non-admin)
We could tack the entire user object on there.  It looks like this:

   _id: {
      type: String,
      required: true
    },
    email: {
      type: String,
      required: true,
      unique: true,
      validate: validate('isEmail')
    },
    name: {
      type: String,
      required: true,
      unique: true,
      validate: validate('isDomain')
    },
    createdAt: {
      type: Date,
      required: true,
      "default": Date.now
    },
    updatedAt: {
      type: Date,
      required: true,
      "default": Date.now
    },
    deletedAt:{
      type: Date,
      required: false
    },
    isAdmin: {
      type: Boolean,
      "default": false
    },
    isSuspended: {
      type: Boolean,
      "default": false
    },
    sendNotifications: {
      type: Boolean,
      "default": true
    },
    sendEngagements: {
      type: Boolean,
      "default": true
    }

... and can be accessed with:

user.attribute = value;
Blocks: 867222
Blocks: 866809
Blocks: 866832
Blocks: 866812
New data should be added to that cookie kicking and screaming. Let's do _id and isAdmin for now. 

The more we add to it, the more we have to continually support. -- Let's keep that surface area as small as possible.
+1 to Simon's points.
Nice point :wex.

Since _id could be variable (it may not stay the email), lets put email and isAdmin in instead.
Would also add displayName/subdomain to this
Lets not forget that the LoginAPIs can be accessed directly if the Login session data is stored in a cookie accessible by all Webmaker services.  This means that if they need more information, all they need is the user's email and they can gain access to the entire user object anyway.
:sedge, why email instead? It's going to be used for looking up records etc, this should be done with the `_id`. `email` should be used for contact and we should only add it if there's a requirement to do so. -- I did mean kicking and screaming.
:boozeniges those are fine fields, but again, let's wait until there's a request to add it.
:wex - it could go either way, but the makeAPI explicitly needs the email.
(In reply to Simon C. Wex from comment #9)
> :sedge, why email instead? It's going to be used for looking up records etc,
> this should be done with the `_id`. `email` should be used for contact and
> we should only add it if there's a requirement to do so. -- I did mean
> kicking and screaming.

(In reply to Kieran Sedgwick (:sedge) from comment #11)
> :wex - it could go either way, but the makeAPI explicitly needs the email.

Yes, I need to know what email is associate with the Webmaker account so that I can enforce tagging requirements in the MakeAPI.
:cade you should be using the user id instead of email for the tag prefixes. It so happens that often _id == email

:sedge ^ that was the original design, you aren't doing anything funny with _id, are you?
:wex - nope, just acknowledging that email will always be email, while _id could end up being something else in the future.  If you think _id is safe to use for that, _id it is!
:cade, :sedge

It is possible that we may not have a value for `email`, we will always have an _id though.
No longer blocks: 867222
:cade - Here's where we're at so far: https://github.com/ksedge/login.webmaker.org/tree/b867218
No longer blocks: 866812
At this point we're attempting to fully understand why the session-sharing between apps isn't stable.  Apps can assume we WILL get it there, and the other teams can assume "req.session.auth"'s existence to confirm a logged in user.  

Req.session.auth will contain an attribute called "_id", containing the user's email for further API calls to the login server if needed.
Whiteboard: u=dev c=webmaker.org p=1 s=2013w18 → u=dev p=1 s=2013w19
it's actually stable now, but we might have redundant code at this point. I filed an issue with express to find out whether that is the case or not, but in terms of stable session management, the pull requests are pending review atm.
I'm going to refactor the login integration stuff into a module that encapsulates the standard calls an app might need to make to the login server. See bug 869576
Depends on: 869576
Assignee: kieran.sedgwick → nobody
Summary: Standardize session management across all Webmaker.org services and tools → [meta] SSO for webmaker.org apps
Whiteboard: u=dev p=1 s=2013w19 → u=dev p=1 s=2013w20
Depends on: 870848
Depends on: 860365
We've decided to use https://github.com/jbuck/persona-sso for our SSO needs. It's currently being hosted at http://personasso.s3-website-us-east-1.amazonaws.com/include.html and works exactly like the current Persona API, except you need to use navigator.idSSO.* and use http://personasso.s3-website-us-east-1.amazonaws.com as your audience for verifying the assertion.
invalidated, we landed local-cookies
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.