HUE-8321 [oidc] Add implementation for multi-backend auth with AllowFirstUserDjangoBackend

Review Request #13113 - Created June 21, 2018 and submitted

Ying Chen
hue
master
HUE-8321
hue
enricoberti, jgauthier, johan, ranade, romain, weixia
commit f7fd4516c208c05454ae05d60b8b053227cba9f2 (HEAD -> django-oidc-auth)
Author: Ying Chen <yingchen@cloudera.com>
Date:   Thu Jun 21 20:01:48 2018 -0700

    HUE-8321 [oidc] Add implementation for multi-backend auth with AllowFirstUserDjangoBackend

:100644 100644 70a7614fb2... 8c115c5183... M    desktop/core/src/desktop/auth/backend.py
:100644 100644 daeb3069d7... 9a198418c8... M    desktop/core/src/desktop/auth/views.py
:100644 100644 5fe7ed1288... 560586dfba... M    desktop/core/src/desktop/middleware.py
:100644 100644 19c08c0520... 53553a2082... M    desktop/core/src/desktop/settings.py
:100644 100644 f91fc6b2dc... 51f63869e6... M    desktop/core/src/desktop/static/desktop/css/login.css
:100644 100644 57c2c4fe14... 056c2d7006... M    desktop/core/src/desktop/templates/login.mako


  • 0
  • 0
  • 1
  • 1
  • 2
Description From Last Updated
  1. 
      
  2. desktop/core/src/desktop/middleware.py (Diff revision 1)
     
     

    When a user logged in via username/password, why would we care about the OIDCBackend idle timeout?

    Is the later conflicting with the session?

    If yes, maybe simpler comment?
    e.g.

    # Avoid OIDCBackend idle session timeout that could conflict with the AllowFirstUserDjangoBackend session

    1. No, it won't be. But when multi-backend enabled, mozilla_django_oidc.middleware.SessionRefresh (originally not design for multi-backend auth) also get activated. It will keep checking 'oidc_id_token_expiration' in the session, which deson't exist in local user and value is set to zero. It causes endless refreshing in this oidc middleware, but it won't go to oidc authentication to get a positive value.

    2. After local user login, the browser is showing error because refreshing in oidc middleware and never land in Hue editors.

  3. 'Go to Keycloak' --> 'Single Sign-on'

    ?

    Any change to put the button on top and maybe add a sepation bar below to separate it from a potential username/password login form?

    (most of the company users would use SSO, username/password form would be more for admins)

  4. 
      
Review request changed

Status: Closed (submitted)

Loading...