Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SSO support #1053

Merged
merged 28 commits into from
Feb 2, 2024
Merged

Add SSO support #1053

merged 28 commits into from
Feb 2, 2024

Conversation

skovati
Copy link
Contributor

@skovati skovati commented Dec 8, 2023
edited
Loading

closes NASA-AMMOS/aerie#1100

This PR significantly reworks the hooks.server.ts logic to support SSO in addition to the /login page. Using a new environment variable PUBLIC_AUTH_SSO_ENABLED, the top level hook auth flow is now as follows:

if (env.PUBLIC_AUTH_SSO_ENABLED === 'true') {
   return await handleSSOAuth({ event, resolve });
} else {
   return await handleJWTAuth({ event, resolve });
}

handleJWTAuth

handleJWTAuth is just a refactored version of the existing auth flow:

  • validate + populate event.locals.user using existing JWT cookie (by hitting Gateway's /auth/session)
  • if JWT was invalid / nonexistent, redirect to /login

handleSSOAuth

handleSSOAuth is a new flow that supports SSO auth by forwarding cookies to new Gateway endpoints, which will check SSO token validity (e.g. CAM token) and return JWTs or redirections accordingly:

  • forward cookies to /auth/validateSSO, which will run an auth provider specific SSO validation
  • if above validation was successful, Gateway returns an Aerie JWT, which we store in cookies and use in Auth: headers as usual.
  • else, the SSO token was invalid or DNE, Gateway returns the URL of the auth providers login page (e.g. CAM-UI), which we redirect the user to.

Logout

The UI also switches on this PUBLIC_AUTH_SSO_ENABLED env var during logout, where it'll either call the Gateway's /auth/logoutSSO (which invalidates the SSO token using the auth provider), or just clear the JWT and redirect to /.

On the next page load, the UI will run through the auth flow in hooks.server.ts, which will correctly redirect us to either /login or the SSO login page, depending on PUBLIC_AUTH_SSO_ENABLED.

This design allows the UI to remain auth provider agnostic. The Gateway can then be extended to support other auth providers (e.g. https://aws.amazon.com/cognito).

The corresponding Gateway PR (NASA-AMMOS/aerie-gateway#51) defines these new auth endpoints, as well as lists the testing steps and possible env var configurations.

@skovati skovati requested a review from a team as a code owner December 8, 2023 23:09
@skovati skovati force-pushed the feature/forward-cam-token branch from 02ab5c8 to 6b3a794 Compare December 8, 2023 23:13
@skovati skovati force-pushed the feature/forward-cam-token branch from 6b3a794 to c88f301 Compare December 8, 2023 23:18
@skovati skovati mentioned this pull request Dec 8, 2023
Merged
duranb
duranb requested changes Dec 11, 2023
View reviewed changes
Copy link
Collaborator

@duranb duranb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I set AUTH_TYPE to "none", but it still redirects me to the CAM login. Also, after logging in to CAM, I wasn't redirected back to aerie-ui. I think whatever is doing the redirect is not including the goto return url to CAM

@skovati skovati force-pushed the feature/forward-cam-token branch from 7925455 to 5825847 Compare December 12, 2023 23:40
@skovati skovati force-pushed the feature/forward-cam-token branch from a23dac9 to 9a94b89 Compare December 12, 2023 23:55
duranb
duranb reviewed Dec 13, 2023
View reviewed changes
src/utilities/login.ts Outdated Show resolved Hide resolved
@skovati skovati force-pushed the feature/forward-cam-token branch from cf52541 to f5fb845 Compare December 14, 2023 22:53
duranb
duranb reviewed Dec 15, 2023
View reviewed changes
.env Outdated Show resolved Hide resolved
@skovati skovati force-pushed the feature/forward-cam-token branch from 359d094 to 0009275 Compare January 3, 2024 20:25
@skovati skovati requested a review from duranb January 3, 2024 20:25
skovati and others added 24 commits February 1, 2024 16:30
@skovati
update tests for new login flow
89279c4
@skovati
add referrer to validation requests
271508c
@skovati
fix redirection logic
e4948b1
@skovati
decode URI encoded cookies
abf72c8
@duranb @skovati
add ability to start local UI with https
62095e2
@duranb @skovati
add ability to specify local host domain
88f9d3e
@skovati
run prettier
1c12839
@skovati
throw redirect instead of returning
9ad13a5 
prevents `user` being typed as possibly undefined, which svelte-check didn't like
@skovati
remove PUBLIC_LOGIN_PAGE
3ad0cca 
"NoAuthAdapter" now fulfills the use case where no auth is desired
@skovati
add example env vars for local HTTPS + domain dev
1c5fffd
@skovati
add new PUBLIC_AUTH_TYPE env var
b6ed6e9
@skovati
switch auth flow based on new env var
3abf50a
@skovati
run prettier
e2b7e75
@skovati
change auth type env var to boolean
714f3a6
@skovati
document new sso env var
119a586
@skovati
refactor nullish assign
23af49d
@skovati
fix test env vars
d9c8681
@skovati
restore feature parity with logout reason
4bd06f4
@skovati
add error handling to cookie parsing
7b88769
@skovati
fix role switching with SSO flow
c4dd6b7
@skovati
add env var mock to login tests
865c09e
@skovati
fix redirection loop by replacing isDataRequest conditional
d97ea40
@skovati
fix redirect loop
d8006da
@skovati
fix logout cookie setting race condition
76fb36d
@skovati skovati force-pushed the feature/forward-cam-token branch from 95eb41a to 76fb36d Compare February 2, 2024 18:20
@skovati skovati merged commit 69e41e8 into develop Feb 2, 2024
4 checks passed
@skovati skovati deleted the feature/forward-cam-token branch February 2, 2024 18:31
JosephVolosin pushed a commit that referenced this pull request Aug 20, 2024
@skovati @duranb
Add SSO support (#1053)
6e815dd 
* add new `reqGateway` function that passes cookies

* Rework auth hook logic to support SSO

* Add support for new gateway auth endpoints.

This commit also removes the auth redirection logic from the UI, since
this is handled by the gateway instead, which will return a redirect if
deemed necessary.

* fix lint errors

* update tests for new login flow

* add referrer to validation requests

* fix redirection logic

* decode URI encoded cookies

* add ability to start local UI with https

* add ability to specify local host domain

* run prettier

* throw redirect instead of returning

prevents `user` being typed as possibly undefined, which svelte-check didn't like

* remove `PUBLIC_LOGIN_PAGE`

"NoAuthAdapter" now fulfills the use case where no auth is desired

* add example env vars for local HTTPS + domain dev

* add new `PUBLIC_AUTH_TYPE` env var

* switch auth flow based on new env var

* run prettier

* change auth type env var to boolean

* document new sso env var

* refactor nullish assign

* fix test env vars

* restore feature parity with logout reason

* add error handling to cookie parsing

* fix role switching with SSO flow

* add env var mock to login tests

* fix redirection loop by replacing `isDataRequest` conditional

* fix redirect loop

* fix logout cookie setting race condition

---------

Co-authored-by: bduran <[email protected]>
JosephVolosin pushed a commit that referenced this pull request Oct 21, 2024
@skovati @duranb @JosephVolosin
Add SSO support (#1053)
f462733 
* add new `reqGateway` function that passes cookies

* Rework auth hook logic to support SSO

* Add support for new gateway auth endpoints.

This commit also removes the auth redirection logic from the UI, since
this is handled by the gateway instead, which will return a redirect if
deemed necessary.

* fix lint errors

* update tests for new login flow

* add referrer to validation requests

* fix redirection logic

* decode URI encoded cookies

* add ability to start local UI with https

* add ability to specify local host domain

* run prettier

* throw redirect instead of returning

prevents `user` being typed as possibly undefined, which svelte-check didn't like

* remove `PUBLIC_LOGIN_PAGE`

"NoAuthAdapter" now fulfills the use case where no auth is desired

* add example env vars for local HTTPS + domain dev

* add new `PUBLIC_AUTH_TYPE` env var

* switch auth flow based on new env var

* run prettier

* change auth type env var to boolean

* document new sso env var

* refactor nullish assign

* fix test env vars

* restore feature parity with logout reason

* add error handling to cookie parsing

* fix role switching with SSO flow

* add env var mock to login tests

* fix redirection loop by replacing `isDataRequest` conditional

* fix redirect loop

* fix logout cookie setting race condition

---------

Co-authored-by: bduran <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@duranb duranb duranb approved these changes

@AaronPlave AaronPlave AaronPlave approved these changes

@joswig joswig Awaiting requested review from joswig joswig is a code owner automatically assigned from NASA-AMMOS/aerie-frontend

Assignees

@skovati skovati

Labels
auth Issues related to authentication or authorization clipper Requests from the Europa Clipper project feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Support for SSO with CAM
3 participants
@skovati @AaronPlave @duranb