Skip to content

Files

Latest commit

author
N. Justus
Jul 11, 2019
ec148fe · Jul 11, 2019

History

History
61 lines (53 loc) · 3.12 KB

authentication.adoc

File metadata and controls

61 lines (53 loc) · 3.12 KB

Authentication flow

authentication flow

Because we are using an external service for authentication, the auhtentication flow needs special attention. The authentication flow follows this pattern:

  1. first the user opens the webpage, that is delivered from the ui container

  2. when the user clicks on an login provider (Developer Login, Google, CAS, GitHub) traefik redirects him to the AuthSvc. Notice that this is not the webmodelica backend!

  3. the AuthSvc redirects him further to the external provider (that is: Google, CAS, GitHub ..)

  4. the provider then delivers the login form and performs the actual login

  5. if the login was successfull, the external provider redirects to AuthSvc

  6. the AuthSvc creates the user informations in UserSvc, sets the Authentication cookie and redirects to the frontend.

  7. finally the frontend authenticates using the cookie provided by AuthSvc to access projects on the webmodelica backend.

Note
The preferred authentication method is through the Authentication header that contains a valid JWT token. This header is set by the frontend and used in each ajax call. The inital login uses a cookie instead, because redirects don’t allow any headers.

The generated JWT has the following structure:

{
  "iss": "auth", (1)
  "iat": 1562851232, (2)
  "sub": "test",
  "data": { (3)
    "username": "test",
    "first_name": "Test",
    "last_name": null,
    "email": "[email protected]",
    "role": "student",
    "created_at": "2019-07-10T14:41:35.164+02:00",
    "updated_at": "2019-07-10T14:41:35.164+02:00",
    "avatar_type": "generator",
    "avatar_url": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQAAAAEAAQMAAABmvDolAAAABlBMVEVymc3///+7AkCtAAAAkElEQVR4nO3YSwqAIBSFYZPAaTtoKS0t2llLaQlNHYRxA7EXOLyi/x1pfMgZiR0bMmNNZgAAJRC65/QKGQAAAKBa4OVmfcPjum8/J0zyYtgUQgIAAEDdwKXfslU+jWlfTkgAAAAAAAAAQMvAx6LAmEVWg6z8f3ugFhIAAACaAbNUBrtuBkDpwMVm6T6urrrpBLXfUOFSQqWQAAAAAElFTkSuQmCC",
    "avatar_gravatar_url": "https://www.gravatar.com/avatar/a5ff9a6a16910c9a873916f859bb9223",
    "avatar_generator_url": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQAAAAEAAQMAAABmvDolAAAABlBMVEVymc3///+7AkCtAAAAkElEQVR4nO3YSwqAIBSFYZPAaTtoKS0t2llLaQlNHYRxA7EXOLyi/x1pfMgZiR0bMmNNZgAAJRC65/QKGQAAAKBa4OVmfcPjum8/J0zyYtgUQgIAAEDdwKXfslU+jWlfTkgAAAAAAAAAQMvAx6LAmEVWg6z8f3ugFhIAAACaAbNUBrtuBkDpwMVm6T6urrrpBLXfUOFSQqWQAAAAAElFTkSuQmCC",
    "identities": [
      {
        "provider": "developer",
        "username": "test"
      }
    ]
  },
  "exp": 1562937632 (4)
}
  1. is the issuer of the token. this is always auth.

  2. is the issuedAt timestamp in seconds since UNIX-epoch

  3. is the user information payload. The payload contains all user informations.

  4. is the expiresAt timestamp in seconds since UNIX-epoch

Notes

  • AuthSvc refers to the thmmote/webmodelica-auth-svc docker image configured in the auth-svc service definition

  • UserSvc refers to the thmmote/webmodelica-user-svc docker image configured in the user-svc service definition

  • OAuthProvider is an OAuth provider: Google, GitHub, CAS