Skip to content

Commit

Permalink
Merge pull request #1252 from City-of-Helsinki/hds-2102-login-cookie-…
Browse files Browse the repository at this point in the history 
…docs

HDS-2102: login data to cookie docs
  • Loading branch information
@NikoHelle
NikoHelle committed May 7, 2024
2 parents beef1df + fef0c6b commit ec625c2
Show file tree
Hide file tree
Showing 5 changed files with 137 additions and 22 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

#### Added

- [Component] What is added?
- [CookieConsent] Data stored by the HDS login component is now in the common cookies.
- [Login] Added a utility function to detect login callback error that could be ignored.
- [DateInput] Added example how to handle date ranges.

Expand Down Expand Up @@ -66,6 +66,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
#### Changed

- [Login] Login system is good enough to start using in production as well. We still welcome feedback and improve the component.
- [CookieConsent] Data stored by the HDS login component added to common cookie list.

#### Fixed

Expand Down
24 changes: 22 additions & 2 deletions packages/react/src/components/cookieConsent/CookieConsent.stories.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1057,8 +1057,28 @@ export const TunnistamoLoginCookies = (args) => {
currentLanguage: language,
requiredCookies: {
groups: [
{ commonGroup: 'tunnistamoLogin' },
{ commonGroup: 'loadBalancing', cookies: [{ commonCookie: 'tunnistamo-login-loadbalancer' }] },
{
commonGroup: 'tunnistamoLogin',
cookies: [
{
commonCookie: 'oidc-ts-storage',
},
{
commonCookie: 'hds-api-token-storage',
},
{
commonCookie: 'hds-api-token-user-reference',
},
],
},
{
commonGroup: 'loadBalancing',
cookies: [
{
commonCookie: 'tunnistamo-login-loadbalancer',
},
],
},
{
commonGroup: 'informationSecurity',
cookies: [{ commonCookie: 'tunnistamo-csrftoken' }],
Expand Down
80 changes: 80 additions & 0 deletions packages/react/src/components/cookieConsent/getContent.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,11 @@ export function getCookieContent() {
const tunnistamoUrl = 'api.hel.fi';
const keycloakUrl = 'tunnistus.hel.fi';
const suomiFiUrl = 'suomi.fi';
const currentSiteTranslations = {
fi: 'Tämä sivusto',
sv: 'Denna webbsida',
en: 'Current domain',
};

return {
texts: {
Expand Down Expand Up @@ -610,6 +615,20 @@ export function getCookieContent() {
},
],
},
hdsLoginComponent: {
...commonLoginGroupTranslations,
cookies: [
{
commonCookie: 'oidc-ts-storage',
},
{
commonCookie: 'hds-api-token-storage',
},
{
commonCookie: 'hds-api-token-user-reference',
},
],
},
},
commonCookies: {
helConsentCookie: {
Expand Down Expand Up @@ -833,6 +852,67 @@ export function getCookieContent() {
hostName: suomiFiUrl,
...commonLanguageTranslations,
},
'oidc-ts-storage': {
id: 'oidc-ts-storage',
name: 'oidc.user:*',
fi: {
hostName: currentSiteTranslations.fi,
description: 'Käyttäjän kirjautumistiedot tallennetaan selaimen muistiin (session storage).',
expiration: 'Istunto',
},
sv: {
hostName: currentSiteTranslations.sv,
description: 'Användarens inloggningsuppgifter lagras i webbläsarens minne (session storage).',
expiration: 'Session',
},
en: {
hostName: currentSiteTranslations.en,
description: "Authentication information of the user is saved to browser's memory (session storage).",
expiration: 'Session',
},
},
'hds-api-token-storage': {
id: 'hds_login_api_token_storage_key',
name: 'hds_login_api_token_storage_key',
fi: {
hostName: currentSiteTranslations.fi,
description:
'Kirjautuneen käyttäjän rajanpinta-avaimet (api tokens) tallennetaan selaimen muistiin (session storage).',
expiration: 'Istunto',
},
sv: {
hostName: currentSiteTranslations.sv,
description: 'Api-token för en autentiserad användare sparas i webbläsarens minne (session storage).',
expiration: 'Session',
},
en: {
hostName: currentSiteTranslations.en,
description: "Api tokens of an authenticated user is saved to browser's memory (session storage).",
expiration: 'Session',
},
},
'hds-api-token-user-reference': {
id: 'hds_login_api_token_user_reference',
name: 'hds_login_api_token_user_reference',
fi: {
hostName: currentSiteTranslations.fi,
description:
'Kirjautuneen käyttäjän pääsyoikeudet tallennetaan selaimen muistiin, jotta tunnistetaan kenen rajapinta-avaimet on tallessa.',
expiration: 'Istunto',
},
sv: {
hostName: currentSiteTranslations.sv,
description:
'Den inloggade användarens åtkomsträttigheter lagras i webbläsarens minne för att identifiera vems token som lagras.',
expiration: 'Session',
},
en: {
hostName: currentSiteTranslations.en,
description:
"Access token of an authenticated user is saved to browser's memory (session storage) to identify whose api tokens are stored.",
expiration: 'Session',
},
},
},
};
}
5 changes: 5 additions & 0 deletions site/src/docs/components/login/index.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@ HDS Login components cannot support SSR at the moment because of the session sto

Silent session renewal requires a <UsagePageAnchorLink anchor="silent-renewal">dedicated HTML file</UsagePageAnchorLink> that redirects to the OIDC provider "silently" in an iframe.

### Consents for storing data

The data of the authenticated user is stored in the session storage. Users must give consent to storing data in the session storage, just like cookie consents.
You can use the ready-made consents in the <InternalLink href="/patterns/cookies/common-helsinki-cookies/#hds-login-component">common Helsinki cookies</InternalLink>.

### Example Usage

<PlaygroundPreview>
Expand Down
47 changes: 28 additions & 19 deletions site/src/docs/patterns/cookies/common-helsinki-cookies.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,48 +48,57 @@ The following is a list of approved common cookies for common services like Mato

### Login

| Cookie name | Cookie set by | Purpose of use | Period of validity |
| -------------------------------------------------------------------- | ---------------- | ---------------------------------- | ------------------ |
| `sso-sessionid` | api.hel.fi | Persist the authentication session | Session |
| `tunnistamo_prod-sessionid` | api.hel.fi | Persist the authentication session | Session |
| `profiili-prod-csrftoken` | api.hel.fi | A security control | 365 days |
| `AUTH_SESSION_ID` | tunnistus.hel.fi | Persist the authentication session | Session |
| `AUTH_SESSION_ID_LEGACY` | tunnistus.hel.fi | Persist the authentication session | Session |
| `KC_*` | tunnistus.hel.fi | Persist the authentication session | Session |
| `JSESSIONID` | suomi.fi | Persist the authentication session | Session |
| `E-Identification-LogTag` | suomi.fi | Persist the authentication session | Session |
| `_opensaml_req_cookie*` | suomi.fi | Persist the authentication session | Session |
| `_shibstate_*` | suomi.fi | Persist the authentication session | Session |
| `_shibsession_*` | suomi.fi | Persist the authentication session | Session |
| `shib_idp_session` | suomi.fi | Persist the authentication session | Session |
| [Table 3:Common Tunnistamo cookies between *.hel.fi domain services] |
| Cookie name | Cookie set by | Purpose of use | Period of validity |
| --------------------------------------------------------------------------------- | ---------------- | ---------------------------------- | ------------------ |
| `sso-sessionid` | api.hel.fi | Persist the authentication session | Session |
| `tunnistamo_prod-sessionid` | api.hel.fi | Persist the authentication session | Session |
| `profiili-prod-csrftoken` | api.hel.fi | A security control | 365 days |
| `AUTH_SESSION_ID` | tunnistus.hel.fi | Persist the authentication session | Session |
| `AUTH_SESSION_ID_LEGACY` | tunnistus.hel.fi | Persist the authentication session | Session |
| `KC_*` | tunnistus.hel.fi | Persist the authentication session | Session |
| `JSESSIONID` | suomi.fi | Persist the authentication session | Session |
| `E-Identification-LogTag` | suomi.fi | Persist the authentication session | Session |
| `_opensaml_req_cookie*` | suomi.fi | Persist the authentication session | Session |
| `_shibstate_*` | suomi.fi | Persist the authentication session | Session |
| `_shibsession_*` | suomi.fi | Persist the authentication session | Session |
| `shib_idp_session` | suomi.fi | Persist the authentication session | Session |
| [Table 3:Common Tunnistamo and Keycloak cookies between *.hel.fi domain services] |

### HDS Login component

| Session storage key | Data set by | Purpose of use | Period of validity |
| -------------------------------------------------------- | -------------- | --------------------------------------------- | ------------------ |
| `oidc.user:*` | Current domain | Store authentication data | Session |
| `hds_login_api_token_storage_key` | Current domain | Store api tokens of an authenticated user | Session |
| `hds_login_api_token_user_reference` | Current domain | Identify the user whose api tokens are stored | Session |
| [Table 4:Common user data stored by the login component] |

### Load balancing

| Cookie name | Cookie set by | Purpose of use | Period of validity |
| ------------------------------------------------------------------------------------------------- | ---------------------------- | ----------------------------- | ------------------ |
| `A random 32-character long string` | api.hel.fi, tunnistus.hel.fi | Technical routing of requests | Session |
| [Table 4:Load-balancing cookies ensure that the service loads and works quickly and efficiently.] |
| [Table 5:Load-balancing cookies ensure that the service loads and works quickly and efficiently.] |

### Information security

| Cookie name | Cookie set by | Purpose of use | Period of validity |
| ---------------------------------------------------------------------------------------- | ------------- | ------------------ | ------------------ |
| `tunnistamo_prod-csrftoken` | api.hel.fi | A security control | 365 days |
| [Table 5:Security cookies enable secure data transfer between the user and the service.] |
| [Table 6:Security cookies enable secure data transfer between the user and the service.] |

### Language settings

| Cookie name | Cookie set by | Purpose of use | Period of validity |
| -------------------------------------------------------------------------------------------------------- | ---------------- | ---------------------------------- | ------------------ |
| `KEYCLOAK_LOCALE` | tunnistus.hel.fi | Persist the user's chosen language | Session |
| `E-Identification-Lang` | suomi.fi | Persist the user's chosen language | Session |
| [Table 6:Language cookies store the language selections by the user to remember the preferred language.] |
| [Table 7:Language cookies store the language selections by the user to remember the preferred language.] |

### Cookie consent

| Cookie name | Cookie set by | Purpose of use | Period of validity |
| ---------------------------------- | -------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
| `city-of-helsinki-cookie-consents` | \<subdomain\>.hel.fi | Used by hel.fi to store information about whether visitors have given or declined the use of cookie categories used on the hel.fi site. | 1 year |
| `city-of-helsinki-consent-version` | \<subdomain\>.hel.fi | Used by hel.fi to store information about what version of the cookie consent the user has agreed to. | 1 year |
| [Table 7:Cookie consents.] |
| [Table 8:Cookie consents.] |

0 comments on commit ec625c2

Please sign in to comment.