Skip to content

feat: implement authorization code flow with azul and data browser (#4793)#4796

Merged
NoopDog merged 3 commits intomainfrom
fran/4793-authorization-code-flow
May 5, 2026
Merged

feat: implement authorization code flow with azul and data browser (#4793)#4796
NoopDog merged 3 commits intomainfrom
fran/4793-authorization-code-flow

Conversation

@frano-m
Copy link
Copy Markdown
Contributor

@frano-m frano-m commented May 1, 2026
edited
Loading

Summary

  • Switches anvil-cmg/dev to the OAuth 2.0 authorization code flow against Azul's new /user/authorize endpoint
  • Bumps the Google CLIENT_ID to anvildev's value (per @hannes-ucsc's Slack note) and adds an authorize URL on the provider, picked up by findable-ui's new code-flow branch
  • Initial commit applies @hannes-ucsc's POC verbatim (DATA_URL pointed at his personal deployment); follow-up commit switches to the real anvildev endpoints and wires authorize through the provider config
  • Per @hannes-ucsc, only DB instances backed by Azul dev/anvildev should adopt this for now; prod is unchanged

Blocked by: findable-ui#905 — needs to merge and release before this can ship (OAuthProvider.authorize field comes from there).

Closes #4793.

Test plan

  • Verified login end-to-end on localhost:3000 against anvildev (via local findable-ui tarball): POST https://service.anvil.gi.ucsc.edu/user/authorize returns {access_token, id_token, scope, expires_in, token_type}; profile loads
  • Logout clears state, datasets table reverts to public-only view
  • Inactivity timeout still triggers (verified at 10s)
  • Terra-side checks (userinfo, ToS, profile) still 200 with the access token
  • Bump @databiosphere/findable-ui to the release containing Support for clarifying requirements around a single top level metadata version #905 before marking ready for review
  • CI green on the bump commit (currently expected to fail typecheck on the registry version, since authorize field isn't in the published package yet)

frano-m and others added 2 commits May 1, 2026 18:07
@frano-m @hannes-ucsc @claude
feat: apply hannes' poc for oauth authorization code flow (#4793)
55493d9 
based on poc patches in #4793. points anvil-cmg dev at hannes' personal
azul deployment with his client id, matching the original poc; subsequent
commit switches to the real anvildev endpoints.

Co-authored-by: hannes-ucsc <hannes-ucsc@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@frano-m @claude
feat: switch anvil-cmg dev to anvildev azul authorize endpoint (#4793)
5246210 
revert data url to the real anvildev service, swap to the anvildev
google client id, and wire the authorize field through the google
provider so findable-ui's authorization code flow targets
service.anvil.gi.ucsc.edu/user/authorize.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@frano-m frano-m requested a review from Copilot May 1, 2026 08:17
Copilot AI reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the AnVIL CMG dev site configuration to support Azul’s OAuth 2.0 authorization code flow by adjusting the Google OAuth provider configuration used by the Data Browser.

Changes:

  • Update the Google OAuth CLIENT_ID for AnVIL CMG dev.
  • Add an authorize endpoint (/user/authorize) to the Google provider config for code flow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread site-config/anvil-cmg/dev/authentication/constants.ts
Comment thread site-config/anvil-cmg/dev/authentication/constants.ts
@frano-m frano-m marked this pull request as ready for review May 5, 2026 04:51
@frano-m @claude
feat: upgrade findable-ui to 52.1 and set explicit oauth flow (#4793)
b3c1f4a 
findable-ui 52.1 makes oauthprovider a discriminated union keyed on a
new `flow` field (oauth_flow.authorization_code | oauth_flow.implicit),
replacing the previous truthiness check on `authorize`. set the flow
explicitly on every provider: anvil-cmg/dev keeps authorize and gets
authorization_code; the other five (anvil-cmg cc-dev/prod/tempdev,
hca-dcp cc-ma-dev/ma-prod) get implicit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@frano-m frano-m requested a review from Copilot May 5, 2026 04:52
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread site-config/anvil-cmg/cc-dev/authentication/constants.ts
Comment thread site-config/anvil-cmg/dev/authentication/constants.ts
@NoopDog NoopDog merged commit bc517c8 into main May 5, 2026
7 of 8 checks passed
@github-actions github-actions Bot mentioned this pull request May 5, 2026
Merged
@frano-m frano-m mentioned this pull request May 6, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@NoopDog NoopDog NoopDog approved these changes

Assignees

@NoopDog NoopDog

@hannes-ucsc hannes-ucsc

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement authorization code flow with Azul and Data Browser #7954

4 participants

@frano-m @NoopDog @hannes-ucsc