Design and develop generic login UI

[AnaBelgun]

To prepare for integration the authentication & authorisation work, we need a login in terria ui.

[philipgrimmett]

Invision prototype:
https://invis.io/PRTEOSJTAKG#/378489622_login-Default

Note:

• Form validation behaviour
• Password 'show/hide' toggle
• Password reset option (needs investigation, @AnaBelgun we can write the ticket together?)
• Example OAuth login options (Google, ESRI)

[rowanwins]

@philipgrimmett

Here is what an Esri OAuth powered page looks like - basically you click the "Sign In" button and it throws another window which we have next to no styling control over.
https://esri.github.io/esri-leaflet/examples/arcgis-online-auth.html

So in its most minimal implementation we just need a button to throw a window.

Hope that helps :)

[philipgrimmett]

@rowanwins ah, thanks. In the prototype posted above I included oath buttons for google and Esri, but now I see that the Esri login UI also has oath buttons (FB, Google). Will they still lead users back to the Terrace editor?

[soyarsauce]

FWIW I'm also leaving this till the end - right now we have super basic auth going by logging into google (without the UI)

[soyarsauce]

https://github.com/TerriaJS/terrace/issues/50

[rowanwins]

Hey @philipgrimmett

So I was coming at this from the Terria side rather than the Terrace side. I'm thinking of the average user of the digital twin who has no interest in Terrace. So perhaps I was coming from a different angle.

[techdragon]

While I’m not exactly a core stakeholder as I’ve only just started to use Terria, I was surprised by the lack of any auth beyond basic auth.

Looking at this ticket, I’d like to point out the broader utility of OpenID Connect over directly using OAuth. Supporting OIDC would make user auth a nearly plug and play experience for people who’s infrastructure supports it already. The OIDC components of Terria would just need to be configured to use their OIDC provider much like how they would configure the Cesium Ion API Token.

[techdragon]

So I did a little work on the possibility of implementing an OIDC proof of concept using an existing generic OIDC library ( https://github.com/IdentityModel/oidc-client-js ), and while looking further into the Terria code, it seems like everything is using the Resource.fetch() from the Cesium library by way of loadJson.js and the other load<Foo>.js siblings ... And according to the Cesium devs, Resource was only really meant for loading things into Cesium for display (CesiumGS/cesium#6205 (comment))

Since any authentication implementation using OAuth, OIDC, or most other options, is probably going to require changing the request headers, and by extension require writing either new request helper code for authenticated endpoints, and/or modifications to all the existing load<Foo>.js files... I figured I should ask if there was already a plan/code for any of this, since @soyarsauce mentioned a working prototype #3644 (comment)

[rowanwins]

I think this can be closed - overtaken by events

[davidedelerma]

@rowanwins could you explain more what overtaken by events mean? Will Terria have the capability of having a login page and eventually RBAC any time soon? Thanks
If there is already some form of auth could you point me to the doc as I cannot find it ?

[rowanwins]

Hi @davidedelerma ,

So far we've only implemented this in a private clone of TerriaMap (eg the code is not available), although the app is available here
https://nsw.digitaltwin.terria.io/

I suspect it's going to be hard to have a generic login provider within TerriaJS or TerriaMap, but in terms of the UI idea you're free to steal it.

Hope that helps