User authentication using OpenID Connect protocol #4474
Conversation
Removed white spaces between parenthesis and arguments.
…-after-rebase # Conflicts: # lib/galaxy/config.py # lib/galaxy/dependencies/pinned-requirements.txt # lib/galaxy/model/__init__.py # lib/galaxy/model/mapping.py
|
the requirements handling in Galaxy's repo changed, I have a WIP for this branch to fix it but I need to know which of the requirements are used directly in this code: |
|
Yes, these are the requirements for this PR. |
|
@VJalili That was not my question. I am asking which ones are used directly - as opposed to deps of deps. It seems that answer is only the |
|
Yes, that is correct, at the moment only |
lib/galaxy/model/__init__.py
Outdated
| model = cls.user_model() | ||
| instance = model(*args, **kwargs) | ||
| instance.set_password_cleartext( | ||
| ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))) |
There was a problem hiding this comment.
Now have 2 different places in Galaxy code that generate random passwords, slightly differently. Perhaps should unify under single method.
One uses random.sample, this uses random.choice. Using .choice method is arguably better as it allows character reuse. A potential issue with SystemRandom() is 'Not available on all systems.'.
There was a problem hiding this comment.
I changed SystemRandom().choice to sample.
# Conflicts: # lib/galaxy/dependencies/pinned-requirements.txt # lib/galaxy/dependencies/requirements.txt
lib/galaxy/model/__init__.py
Outdated
| def create_user(cls, *args, **kwargs): | ||
| model = cls.user_model() | ||
| instance = model(*args, **kwargs) | ||
| instance.set_password_cleartext(''.join(random.sample(string.ascii_letters + string.digits, 16))) |
There was a problem hiding this comment.
Whoops, maybe I wasn't clear. I was saying that using choice was more secure than sample, since it can reuse characters, the search space would be larger. So I was suggesting to use .choice, but to make a single e.g. .set_password_random() method that gets called from each place.
There was a problem hiding this comment.
My misunderstanding! I created set_random_password function. I think it would be better if change other random password creations (e.g., this) to leverage this function in subsequent PRs.
| @@ -1 +0,0 @@ | |||
| pipfiles/default/pinned-requirements.txt | |||
There was a problem hiding this comment.
Am I reading it correct? it deleted one line and added a new line with the same content as the original line?
There was a problem hiding this comment.
Not sure, but it looks a bit strange.
There was a problem hiding this comment.
For some odd reasons, this is actually replacing a symlink with a text file containing path to the originally linked file. I fixed it; and thanks @natefoo for identifying the issue.
| @@ -105,6 +110,7 @@ rfc3986==1.1.0 | |||
| routes==2.4.1 | |||
| simplejson==3.13.2 | |||
| six==1.11.0 | |||
| social_auth_core==1.5.0 | |||
There was a problem hiding this comment.
The new way to add dependencies is to add only the ones you directly use (which I think is just social_auth_core) to lib/galaxy/dependencies/pipfiles/default/Pipfile (without specifying a version unless needed) and run make update-dependencies to update this file (pipenv needs to be installed).
There was a problem hiding this comment.
I changed it. Now I'm getting the following error, any thoughts?
Invalid requirement: 'pipfiles/default/pinned-requirements.txt'
It looks like a path. Does it exist ?There was a problem hiding this comment.
When does that happen?
I'd check that lib/galaxy/dependencies/pinned-requirements.txt is a symlink to pipfiles/default/pinned-requirements.txt . You can recreate it with:
cd lib/galaxy/dependencies/
rm -f pinned-requirements.txt
ln -s pipfiles/default/pinned-requirements.txt
|
Thank you for your work @VJalili, I think this PR is in a very good shape. |
|
followup issue xref: #5817 |
|
@martenson Thanks! |
Reintroduced (empty) by mistake in galaxyproject#4474 .
It was reintroduced (empty) by mistake in galaxyproject#4474 .
It was reintroduced (empty) by mistake in galaxyproject#4474 .
A Galaxy user should be authenticated using a trusted identity provider (e.g., Google, Microsoft, Amazon) when a verifiable identity over a standard protocol is required (e.g., access cloud-based resources such as Amazon S3).
Currently Galaxy can authenticate a user using OpenID (2.0) protocol; however, this protocol is outdated as neither major identity providers nor resource providers support it (e.g., Google suspended OpenID 2.0 support in 2016). A newer authentication protocol is called OpenID Connect which is a thin layer on top of the authorization protocol, OAuth2.0. Our initial plan was to make Galaxy an OpenID Connect-trusted identity provider. However, due to technical issues of being an identity provider, we decided to leverage third-party identity providers. In other words, we decided to act as a OpenID Connect Relying Party.
This PR implements logics of authenticating a Galaxy user leveraging authorization code flow of OpenID Connect protocol.
This implementation persists only the safe-to-store information, which are:
To setup Galaxy for using this PR, please consider this documentation, and after you set it up, here is how you can use it.