Integration of transport application into the CSIS

[ghilbrae]

We are ready to start testing the integration of the transport application into the CSIS. What do you need from us?

As per today's meeting, it seems that the first step would be to provide a link to the app?

[rapto]

The standalone application is ready to test in https://clarity.saver.red
Authentication is performed by the CAS at https://profile.myclimateservices.eu/cas/
Authorization is performed by the django application at saver.red, so some (now manual) sync is needed between both, meaning that you'll have to provide your username in order for us to authorize you in the app.

[luis-meteogrid]

You may use the following url to access the exposure map: https://clarity.saver.red/mapa_elementos/
I have used my user in CSIS to access that link

[p-a-s-c-a-l]

The application should be embedded as iFrame into CSIS.

I've created the respective Extended iFrame Entity, modified the Exposure Evaluation template - transport and updated the A-2 Guadalajara study.

Important: The iFrame is currently blocked by the SAMEORIGIN policy, you have to remove X-Frame-Options: "SAMEORIGIN".

To provide the username to the application there are two possibilities: query parameters and semaless.js.

I would recommend to implement support for the required query parameters in your app, then we can call it with e.g. https://clarity.saver.red/mapa_elementos/?csis-user=demo. This requires also some work at CSIS side (extracting user name, setting, the parameter). I would implement that in csis_iframe_connector.js, once we know the list of required parameters and their content.

The other possibility is seamless.js, it is a bit more complicated to set-up an requires the usage of the seamless.js client library in you app. The main advantage is that it supports bidirectional communication between the parent frame (CSIS Drupal) and your app. ATM, I don't think that we would need that.

[rapto]

I have included Content-Security-Policy information in order to override the SAMEORIGIN setting (as it seems to be more current). The user issue is pending.

[p-a-s-c-a-l]

Still getting

Refused to display 'https://profile.myclimateservices.eu/cas/login?service=https%3A%2F%2Fclarity.saver.red%2Faccounts%2Flogin%2F%3Fnext%3D%252Fmapa_elementos%252F' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

at https://csis.myclimateservice.eu/study/55/step/1954/view/external

I think that @fgeyer16 has to include content-Security-Policy information for profile.myclimateservices.eu, too.

[fgeyer16]

Sorry for the longsilence.
Yes I have to set some csp headers. Will be done next days

[fgeyer16]

profile.myclimateservcies.eu now allows to be embedded by csis. Now I can see the login mask of profile in the iframe but I failto login as cas test user (logged in as non cas user in CSIS). My CAS test user is not able to see the esternal tab
How is CAS configured at clarity.saver.red?

[p-a-s-c-a-l]

Furthermore, the branding of the transport application (colour, but more importantly the name) should be aligned to the CLARITY Theme.

[p-a-s-c-a-l]

The iFrame on this page is still not working in Firefox:

Laden verboten durch X-Frame-Options: "SAMEORIGIN" von "https://clarity.saver.red/mapa_elementos/", Website erlaubt keine quellübergreifende (cross-origin) Frames von "https://csis.myclimateservice.eu/study/55/step/1952/view/maps".

[fgeyer16]

On my firefox the map seems to be shown:

Firefox 68.4.1esr on Debian 9

Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
This seems to be a Browser version problem. csp frame-ancestor is the newer headerto use since the x-frame options seems to be a little cumbersome. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)

[fgeyer16]

Anyway the X-Frame-Options: "SAMEORIGIN" headershould be removedfrom clarity.saver.red.

[p-a-s-c-a-l]

I'm using Firefox 72.0.2 (64-Bit).

[fgeyer16]

what says security.csp.enable at about:config in firefox?

[p-a-s-c-a-l]

[p-a-s-c-a-l]

Closing in favour of #134