-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Persona shutting down 11/2016: Move from Persona to Google sign-in #530
Comments
Preliminary update: I've more or less managed to transition the old Persona authentication system on the frontend and backend to the Google authentication system. The login functionality works as expected, and other interface functionality works as expected once logged in, as well. Changes are primarily in Current todo/challenges:
|
@jimmyzhen @forresttanaka The test fails on |
@selinad @wrightmw Upon clicking it, you're either logged in as usual, or if you have multiple Google accounts associated on your browser, you get a popup like so: These branding guidelines exist for the login button, in case you want to customize the look of it further. |
Update:
|
I've spun up an instance here: http://530-mc-google-auth-frontend-862500c-minchoi.instance.clinicalgenome.org/ You will need to log in to your Stanford-associated Google account. This branch passes all tests and has no issues with I believe the code itself is ready for implementation, but there are a number of factors that need to be addressed which makes me feel like we should hold off for an R7 implementation. Please let me know if you disagree or have other thoughts/concerns:
|
Hi @mrmin123, Your workaround for the failed jest test is good. I recall implementing a similar workaround when I was doing the react 14 upgrade. Although I did other jest workarounds in the babel conversion, they are somewhat different. In any case, I found some useful links talking about jest workarounds and manual mocks. They may (or may not) be helpful: |
Hi @mrmin123 - just getting to this. Thank you for all your hard work. I hope it is not a problem that some people will need a Google associated email address....I'm thinking about Geisinger and their restrictions, but we can ask. On a similar vein, this message always alarms me, as I am always hesitant to share info I just tried with my selinad@stanford.edu address for the first time and it just said Bad Request, but I tried again and it worked - anyone else had that problem? I repeated it on Safari. |
@selinad This should no longer have the Bad Request issue: http://530-mc-google-auth-frontend-8dee0fe-minchoi.instance.clinicalgenome.org/ |
Some additional reading on the lack of wildcard subdomains for google auth, and potential workarounds:
The most commonly suggested course of action seems to be set up a separate static endpoint to handle the login requests. There are also some talks of using url rewrite rules but I have no idea how that would work in the context of our cloud deployment configuration. |
@jimmyzhen I just saw your message regarding the jest tests! Thanks for the links. I don't think I'll be actually mocking the google platform API to keep the tests independent of it. Unfortunately, that means I do have to fake the 'proper' response the test expects when |
For the devs: the cleaned up branch for this is now 530_mc_google_auth |
Our user use case is a bit different so we may be leaving in Auth0's database as a valid sign-in route. This and the identity providers we'll be supporting will be discussed by the others in the group. Current look of the login: To-do:
|
@mrmin123 Nice work on this! Thanks for modifying their login window with ClinGen branding. Looks awesome. |
@mrmin123 Ooh, looks great! |
Agreed! Looks fantastic! 👍 thx @mrmin123 ! |
Thanks @mrmin123 ! How about this for the 2 pages: Account not verified:Once you have created an account with Auth0, you must verify it via email - please check your inbox for an email from Auth0 and verify it according to their instructions. Additionally, the same email you use for Auth0 must be registered for use with the interfaces. If you have not yet registered your email for the ClinGen interfaces, please send an email to clingen-helpdesk@lists.stanford.edu, supplying the email you used for your Auth0 account and your preferred display name within the interfaces. Please note that access to the ClinGen interfaces is currently restricted to ClinGen curators Login FailureIn addition to creating an account with Auth0, your email must be registered with the ClinGen interfaces in order to log in to the interfaces. If you are encountering this error message, you have either not yet registered your email with us or we have not yet been able to verify and add your account to the system. Currently, access is restricted to ClinGen curators. Please send us an email at clingen-helpdesk@lists.stanford.edu if you feel your email should be registered for use with the ClinGen interfaces. |
@selinad @wrightmw https://530-mc-auth0-0478103-minchoi.demo.clinicalgenome.org/ - Demo Login button should be visible, and should work In all instances, the standard login should work, except that instances #1 and #3 should have the test credentials, while instances #2 and #4 only have the production database credentials (no test users). Please try out all the steps including signing up for an account and reading the emails that get sent to you (we can change wording on them if needed). I've also invited both of you to the #usersignup channel in Slack. You will see a message in there whenever a new user signs up. |
Hi @mrmin123 - wow, you've done a ton of great work on this! The Demo seems to work great. I might be a little confused on what the expected behavior is for the regular login in each of the instances. Could you write a brief summary so I can make sure it's as expected? Thank you! p.s. one quick thing - when I go to Sign up on authentication part, it looks just like Login - could we add some very brief text? |
@mrmin123 All four links worked as anticipated... with demo login functionality as you described For standard logins. Logging in with alwayswright@stanford.edu gave me access to instances #1 and #3 only I assume this is as expected? Does wrightmw email have production editing rights but alwayswright only test rights? |
@selinad Sorry, your primary admin account you should have for the production server should work on all instances, while the secondary non-admin account you have for testing should ONLY work on instances #1 and #3. @wrightmw you are right with your assumptions regarding the logins. The sign up (as opposed to sign-in) is done via these steps:
If you could also confirm that the auto-login function works as intended that'd be great as well. |
Connects to #530. Auth0 implementation. Auto-login support
Auth0 functions properly to log in |
Included in last release (R8). Nice job and thanks for your hard work. |
Persona shutting down 11/2016
From ENCODE Redmine Ticket 3575:
"We currently authenticate users to an email address using Persona, but that service is scheduled to be shut down in November 2016. https://mail.mozilla.org/pipermail/persona-notices/2016/000005.html
Instead of authenticating the email address with Persona we could authenticate it using Google Sign In. https://developers.google.com/identity/sign-in/web/
Unfortunately Google Sign In requires per-domain configuration, so it won't work out of the box with our demo subdomains. This might be worked around by configuring the nginx proxy to accept an alternative url on a fixed domain, e.g. instead of https://feature123.demo.encodedcc.org/login perhaps use https://signin.encodedcc.org/feature123/login. See: http://stackoverflow.com/questions/24342338/google-oauth-subdomains
[Laurence] spoke to Pedro briefly about using Google Sign In rather than Persona a month or two ago, so he may have some experience with it already."
Will require some backend and some UI work.
The text was updated successfully, but these errors were encountered: