Because we are using an external service for authentication, the auhtentication flow needs special attention. The authentication flow follows this pattern:
-
first the user opens the webpage, that is delivered from the ui container
-
when the user clicks on an login provider (Developer Login, Google, CAS, GitHub) traefik redirects him to the AuthSvc. Notice that this is not the webmodelica backend!
-
the AuthSvc redirects him further to the external provider (that is: Google, CAS, GitHub ..)
-
the provider then delivers the login form and performs the actual login
-
if the login was successfull, the external provider redirects to AuthSvc
-
the AuthSvc creates the user informations in UserSvc, sets the Authentication cookie and redirects to the frontend.
-
finally the frontend authenticates using the cookie provided by AuthSvc to access projects on the webmodelica backend.
Note
|
The preferred authentication method is through the Authentication header that contains a valid JWT token. This header is set by the frontend and used in each ajax call. The inital login uses a cookie instead, because redirects don’t allow any headers. |
The generated JWT has the following structure:
{
"iss": "auth", (1)
"iat": 1562851232, (2)
"sub": "test",
"data": { (3)
"username": "test",
"first_name": "Test",
"last_name": null,
"email": "[email protected]",
"role": "student",
"created_at": "2019-07-10T14:41:35.164+02:00",
"updated_at": "2019-07-10T14:41:35.164+02:00",
"avatar_type": "generator",
"avatar_url": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQAAAAEAAQMAAABmvDolAAAABlBMVEVymc3///+7AkCtAAAAkElEQVR4nO3YSwqAIBSFYZPAaTtoKS0t2llLaQlNHYRxA7EXOLyi/x1pfMgZiR0bMmNNZgAAJRC65/QKGQAAAKBa4OVmfcPjum8/J0zyYtgUQgIAAEDdwKXfslU+jWlfTkgAAAAAAAAAQMvAx6LAmEVWg6z8f3ugFhIAAACaAbNUBrtuBkDpwMVm6T6urrrpBLXfUOFSQqWQAAAAAElFTkSuQmCC",
"avatar_gravatar_url": "https://www.gravatar.com/avatar/a5ff9a6a16910c9a873916f859bb9223",
"avatar_generator_url": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQAAAAEAAQMAAABmvDolAAAABlBMVEVymc3///+7AkCtAAAAkElEQVR4nO3YSwqAIBSFYZPAaTtoKS0t2llLaQlNHYRxA7EXOLyi/x1pfMgZiR0bMmNNZgAAJRC65/QKGQAAAKBa4OVmfcPjum8/J0zyYtgUQgIAAEDdwKXfslU+jWlfTkgAAAAAAAAAQMvAx6LAmEVWg6z8f3ugFhIAAACaAbNUBrtuBkDpwMVm6T6urrrpBLXfUOFSQqWQAAAAAElFTkSuQmCC",
"identities": [
{
"provider": "developer",
"username": "test"
}
]
},
"exp": 1562937632 (4)
}
-
is the issuer of the token. this is always
auth
. -
is the issuedAt timestamp in seconds since UNIX-epoch
-
is the user information payload. The payload contains all user informations.
-
is the expiresAt timestamp in seconds since UNIX-epoch
-
AuthSvc refers to the
thmmote/webmodelica-auth-svc
docker image configured in the auth-svc service definition -
UserSvc refers to the
thmmote/webmodelica-user-svc
docker image configured in the user-svc service definition -
OAuthProvider is an OAuth provider: Google, GitHub, CAS