From issues-return-18157-apmail-airavata-issues-archive=airavata.apache.org@airavata.apache.org Fri Aug 28 14:31:02 2020 Return-Path: X-Original-To: apmail-airavata-issues-archive@locus.apache.org Delivered-To: apmail-airavata-issues-archive@locus.apache.org Received: from mailroute1-lw-us.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by minotaur.apache.org (Postfix) with ESMTP id 5BA3C196FE for ; Fri, 28 Aug 2020 14:31:02 +0000 (UTC) Received: from mail.apache.org (localhost [127.0.0.1]) by mailroute1-lw-us.apache.org (ASF Mail Server at mailroute1-lw-us.apache.org) with SMTP id F2C19126093 for ; Fri, 28 Aug 2020 14:31:01 +0000 (UTC) Received: (qmail 50967 invoked by uid 500); 28 Aug 2020 14:31:01 -0000 Delivered-To: apmail-airavata-issues-archive@airavata.apache.org Received: (qmail 50785 invoked by uid 500); 28 Aug 2020 14:31:01 -0000 Mailing-List: contact issues-help@airavata.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@airavata.apache.org Received: (qmail 50699 invoked by uid 99); 28 Aug 2020 14:31:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Aug 2020 14:31:01 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 8BB0A4107C for ; Fri, 28 Aug 2020 14:31:00 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 0F2AB78022C for ; Fri, 28 Aug 2020 14:31:00 +0000 (UTC) Date: Fri, 28 Aug 2020 14:31:00 +0000 (UTC) From: "Marcus Christie (Jira)" To: issues@airavata.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AIRAVATA-3319) Handle missing name and email attributes from CILogon MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AIRAVATA-3319?page=3Dcom.atlass= ian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1= 7186571#comment-17186571 ]=20 Marcus Christie commented on AIRAVATA-3319: ------------------------------------------- The eduPersonPrincipleName is available in the eppn attribute which is retu= rned for the org.cilogon.userinfo scope -- https://www.cilogon.org/oidc > Handle missing name and email attributes from CILogon > ----------------------------------------------------- > > Key: AIRAVATA-3319 > URL: https://issues.apache.org/jira/browse/AIRAVATA-3319 > Project: Airavata > Issue Type: New Feature > Components: Django Portal > Reporter: Marcus Christie > Assignee: Marcus Christie > Priority: Major > > {quote} > tl;dr: CILogon will no longer require Identity Providers (IdPs) to assert= email addresses and names for new users of OAuth2/OIDC (OpenID Connect) cl= ients. > {quote} > [https://groups.google.com/a/cilogon.org/forum/#!topic/outages/kksaYVrW1I= o] > =C2=A0This issue to design a user authentication flow that handles missin= g attributes and prompts the user to supply them as necessary. > h2. Questions > - [ ] Will we always get a {{preferred_username}} attribute? Question for= CILogon team > - [ ] what will Keycloak do if any of these attributes are missing? > h2. Design > h3. User doesn't have first name and/or last name attributes > - callback handles user authentication > - fetch userinfo and check for missing attributes > - note that first and/or last name are missing > - disable user in Keycloak > - (?) Question: log the user in with a flag that profile is not complete?= Or don't log the user in and put the user information somewhere in the ses= sion? > -- I think, log the user in but set a session flag that the profile is no= t complete. in workspace/signals.py and in the UI use this to prevent API c= alls and to prevent the user from seeing UIs that they can't yet interact w= ith. > - redirect user to web form with profile information filled in > -- email > -- email again > -- first name (if available) > -- last name (if available) > - user submits form > - validate form > - if form is valid and all required information is supplied, then ... > -- update the user record in Keycloak > -- enable the user > h3. User doesn't have email attribute > Similar flow to above except > - send the user an email verification link if the profile is complete and= the email address has been supplied > -- more generally, if the user updates their profile information and the = email changes, need to re-verify the email address > - when the email verification link is clicked, re-check the the profile i= s complete > - if profile is complete, update the user record and enable the user > - otherwise kick the user to the profile form and require the missing pro= file attributes > =C2=A0 -- This message was sent by Atlassian Jira (v8.3.4#803005)