Implementation of Oauth of Github, Google and Microsoft #4298
Conversation
feyruzb
force-pushed
the
branch-2-backup
branch
2 times, most recently
from
5ce7f18 to
68eaf7b
Compare
feyruzb
force-pushed
the
branch-2-backup
branch
2 times, most recently
from
de2e213 to
d3f6b29
Compare
There was a problem hiding this comment.
Please see my remarks.
I have some additional comments apart from the direct in code messages:
- My major concern with the implementation is that the oauth related API and its implementation is not generalized enough. The configuration is good enough for the time being.
- I am not sure if we are allowed to use the Git Hub logo in our repo.
- Please invite @cservakt to review the JS and VueJS parts.
I did not do a thorough review of the oauth flow in authentication.py after you addressed the above issues I will do another round concentrating on that.
Thanks for the hard work!
feyruzb
force-pushed
the
branch-2-backup
branch
10 times, most recently
from
12c68e7 to
f064c2b
Compare
feyruzb
force-pushed
the
branch-2-backup
branch
3 times, most recently
from
b4d5a0a to
d3847d6
Compare
…s, commented lines
feyruzb
force-pushed
the
branch-2-backup
branch
4 times, most recently
from
f4d0556 to
e661d1d
Compare
feyruzb
force-pushed
the
branch-2-backup
branch
4 times, most recently
from
353e117 to
14f8ac2
Compare
feyruzb
force-pushed
the
branch-2-backup
branch
from
14f8ac2 to
5855127
Compare
docs/web/authentication.md
Outdated
| #### OAuth Details per each provider <a name ="oauth-details-per-each-provider"></a> | ||
|
|
||
| * Important: `callback_url` must always match with the link specified in the | ||
| providers' settings when issuing an access token. |
There was a problem hiding this comment.
| providers' settings when issuing an access token. | |
| providers' settings when issuing an OAuth application. |
There was a problem hiding this comment.
Fixed, used suggested change.
docs/web/authentication.md
Outdated
| @@ -16,6 +16,9 @@ Table of Contents | |||
| * [<i>LDAP</i> authentication](#ldap-authentication) | |||
| * [Configuration options](#configuration-options) | |||
| * Membership in custom groups with [<i>regex_groups</i>](#regex_groups-authentication) | |||
There was a problem hiding this comment.
This regex link could be on the same level as "OAuth authentication"
| "localhost" not in \ | ||
| user_info_url: |
There was a problem hiding this comment.
According to an earlier discussion this "localhost" is here because it's needed for a test code. I still don't agree distinguishing "localhost" here.
| provider_cfg = self.__auth_config.get( | ||
| 'method_oauth', {}).get("providers", {}).get(provider, {}) | ||
|
|
||
| # turn off configuration if it is set to default values |
There was a problem hiding this comment.
I still don't agree with hard-coding these example values. I would be interested in the other reviewer's reasons.
| @@ -64,6 +66,10 @@ def setup_class_common(): | |||
|
|
|||
| codechecker.add_test_package_product(host_port_cfg, TEST_WORKSPACE) | |||
|
|
|||
| subprocess.Popen(["python3", "oauth_server.py"], | |||
| cwd="tests/functional/authentication") | |||
| sleep(5) | |||
There was a problem hiding this comment.
I still think, we shouldn't operate with sleep(). We should find another way to check if the server is up. Actually, tests shouldn't start until mock server is ready.
|
|
||
| The scope of access requested from the OAuth provider. | ||
|
|
||
| * `user_info_mapping` |
There was a problem hiding this comment.
I have a feeling that this adds unnecessary extra complexity to the logic. Why do we want to use the e-mail address as user name? Why couldn't the auth provider decide what identifies the user? This way it wouldn't be needed to query the e-mail address at different API endpoints in GitHub. I can't see why e-mail address is important from authentication point of view. Let's discuss these questions in a separate meeting.
| raise codechecker_api_shared.ttypes.RequestFailed( | ||
| codechecker_api_shared.ttypes.ErrorCode.AUTH_DENIED, | ||
| "OAuth authentication is not enabled for provider:", provider) |
There was a problem hiding this comment.
Does RequestFailed() work with 3 parameters? Is the 3rd parameter concatenated to the 2nd?
There was a problem hiding this comment.
Fixed, used string formatting.
| or not provider_db or not expires_at_db: | ||
| raise codechecker_api_shared.ttypes.RequestFailed( | ||
| codechecker_api_shared.ttypes.ErrorCode.AUTH_DENIED, | ||
| "Something went wrong. Please try again.") |
There was a problem hiding this comment.
A more informative message would be useful which tells that authentication is needed first.
There was a problem hiding this comment.
Fixed, message now explains what went wrong.
There was a problem hiding this comment.
The purpose of this check is to make sure that the data that was fetched is not empty and are actual values.
| LOG.error("State, provider or expiery time mismatch.") | ||
| raise codechecker_api_shared.ttypes.RequestFailed( | ||
| codechecker_api_shared.ttypes.ErrorCode.AUTH_DENIED, | ||
| "Something went wrong. Please try again.") |
There was a problem hiding this comment.
A more informative message would be useful which tells what's wrong: is it the expiration date or something else?
There was a problem hiding this comment.
Fixed, message now explains what went wrong.
| self.token = token | ||
| self.user_name = user_name | ||
| self.groups = groups | ||
| self.description = description | ||
| self.can_expire = can_expire | ||
| self.last_access = datetime.now() | ||
| self.oauth_access_token = oauth_access_token |
There was a problem hiding this comment.
Let's discuss the database schema in a meeting.
… storing acess token and refresh token
feyruzb
force-pushed
the
branch-2-backup
branch
9 times, most recently
from
477c868 to
c474887
Compare
feyruzb
force-pushed
the
branch-2-backup
branch
3 times, most recently
from
719771e to
868b7e5
Compare
fixes #4160
The right way it should look after logging in
new added button to log in with github
Changes: