Bypass Google auth when Okta is configured #144
Conversation
| // Update recently viewed docs for the dashboard route. | ||
| try { | ||
| await this.recentDocs.fetchAll.perform(); | ||
| } catch (e) { | ||
| console.error("error updating recently viewed docs", e); | ||
| throw e; | ||
| } |
There was a problem hiding this comment.
This doesn't seem important here. What if you remove it and defer that load for when the user is actually visiting the dashboard? Otherwise I'd call it with void instead of try { await } so it doesn't hold up loading other stuff.
There was a problem hiding this comment.
I was just minimizing changes, and when I fully removed this, the recently viewed docs weren't being updated in the dashboard until I refreshed the page. I just tried moving this to the dashboard route though and it seems to work, so I can move it there.
| {{#if this.showSignOut}} | ||
| <dd.Interactive | ||
| data-test-user-menu-item="sign-out" | ||
| {{on "click" this.invalidateSession}} | ||
| @text="Sign out" | ||
| /> | ||
| {{/if}} |
There was a problem hiding this comment.
Why are we removing the logout button? What happens if I skipGoogleAuth and try to invalidateSession?
There was a problem hiding this comment.
It doesn't do anything because there's no Ember Simple Auth session to invalidate when we bypass Google auth.
There was a problem hiding this comment.
Can we have it invalidate with Okta instead? I assume users will still want to sign out.
There was a problem hiding this comment.
Our supported Okta configuration enforces Okta auth at the load balancer level so there's not going to be a way to sign out unless the user signs out of their Okta session (which will be in Okta, not Hermes).
There was a problem hiding this comment.
Can we change our supported configuration to allow logout? 😬 I'd really like to keep the log out button. "As a user I want to log out."
There was a problem hiding this comment.
We chatted about this offline, but I think I found a way to do this and it'll be implemented in another PR soon!
web/app/routes/authenticate.ts
Outdated
| * and if it is, transitions to the specified route | ||
| */ | ||
| this.session.prohibitAuthentication("/"); | ||
| if (!this.configSvc.config.skip_google_auth) { | ||
| this.session.prohibitAuthentication("/"); |
There was a problem hiding this comment.
What happens if we remove this if statement and run prohibitAuthentication under skipGoogleAuth conditions?
There was a problem hiding this comment.
Looks like it's the same behavior. I think I forgot what this method actually does - I can revert this change.
There was a problem hiding this comment.
It's supposed to redirect you to / if you're authenticated with Ember Simple Auth
There was a problem hiding this comment.
Yeah, actually I guess we should probably just redirect right away from this route if we're bypassing Google auth... Because users could still have this URL saved and it won't be relevant without Google auth.
There was a problem hiding this comment.
8d11b85 implements this ^
web/app/routes/authenticated.ts
Outdated
| */ | ||
| void this.session.pollForExpiredAuth.perform(); | ||
| if (!this.configSvc.config.skip_google_auth) { | ||
| void this.session.pollForExpiredAuth.perform(); |
There was a problem hiding this comment.
Why does skipping Google auth negate the need to poll for expiredAuth?
There was a problem hiding this comment.
Good q, 2 things here:
- I still need to do some more testing on the app behavior when Okta auth expires; it might still be useful to do this polling if the user isn't immediately redirected to log in to Okta.
- Currently
pollForExpiredAuthis (understandably) Google-centric so I think we'll want to at least skip this until that either becomes neutral to the auth provider or has an Okta option built in too (assuming that we'll want to poll when skipping Google auth; still need to test).
There was a problem hiding this comment.
it might still be useful to do this polling if the user isn't immediately redirected to log in to Okta
Yeah, I'd like to maintain our existing behavior where we detect passive logouts: If your token expires in the background, we should block [Okta]'s immediate-redirect function to show a gentler "reauathenticate" message.
Your change makes sense and its good to know you're planning to test further.
There was a problem hiding this comment.
Re-enabled polling auth for Okta in this commit: 23635e6
…stead of verifying the access token
* Make people directory search read mask configurable in helper function * Add GET method for /api/v1/me endpoint * Bypass Google auth when Okta is configured * Only show Sign Out when using Google auth * s/bypass/skip * Update recently-viewed-docs-test.ts * Update Mirage `/me` reference * Update Mirage document timestamp; Fix test * Add note that Okta is instead of Google OAuth * Format config * Redirect right away from the authenticate route if skipping Google auth * Fetch recently viewed docs in the dashboard route instead of document * Add Admin service back * Add GetUser helper * Hack around bug with People API not returning names * Set the ALB auth cookie to an expired time when the token is invalid * Poll auth expiration when using Okta as well * Handle Okta redirect errors from fetch * Authorize Okta request using OIDC data header and verifying claims instead of verifying the access token * Update OIDC data format * Decode JSON into an interface * Handle AWS's JWTs that include padding * Use public key type for Parse key function * Use string type for preferred_username and log values on error * Don't compare preferred_username claim to OIDC identity header * Update flash message title * Add Admin SDK API to list of APIs that need to be enabled --------- Co-authored-by: Jeff Daley <[email protected]>
This PR adds functionality to bypass Google auth when Okta is configured. To do this, a GET method was added for the
/api/v1/meAPI with a response that mimics Google'suserinfoAPI, which we previously used to get a user's profile photo and name. Also, now that #132 was merged, this removes the code for using the Google Drive application data for storing recently viewed docs.Breaking changes
oktablock