[
https://issues.apache.org/jira/browse/AIRAVATA-3319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17188007#comment-17188007
]
Marcus Christie commented on AIRAVATA-3319:
-------------------------------------------
I asked the CILogon team about the eduPersonPrincipleName (ePPN) attribute.
Short answer one of ePPN or ePTID are required but really the "sub" field
should be used as the identifying claim.
{quote}
Hi Marcus,
After the April 2020 update, an IdP needs to minimally assert a user identifier
for the user. This identifier can be ePPN, ePTID (eduPersonTargetedID), or
both. So it's not sufficient to rely on email, ePPN, or ePTID to identify the
user since any of them could be missing.
Instead, your integration should use the CILogon User Identifier to identify
the user internally. For OIDC transactions, this user id is typically asserted
as the "sub" claim and is of the format
"http://cilogon.org/serverA/users/12345";. (The CILogon User Identifier is now
shown in the "User Attributes" block after you log on to https://cilogon.org .)
You can use https://demo.cilogon.org to see the claims asserted by an IdP. Your
app could optionally have logic to display the user's name/email (if available)
if you don't want to show the user id in the UI.
-Terry
On 2020-08-28 9:28 AM, Christie, Marcus Aaron wrote:
Hi CILogon Team,
The Airavata integration with CILogon assumes that we'll get an email and first
name and last name attributes, and I'm working on updating the logic to handle
the relaxed requirements announced in April
(https://groups.google.com/a/cilogon.org/forum/#!topic/outages/kksaYVrW1Io). We
currently map "email" to the user's username. I was told that using ePPN
attribute would be better to use for the username, but I have a question: if
the email attribute isn't released by the IdP, what is the resulting ePPN? Will
there always be an ePPN?
Thanks,
Marcus
{quote}
> Handle missing name and email attributes from CILogon
> -----------------------------------------------------
>
> Key: AIRAVATA-3319
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3319
> Project: Airavata
> Issue Type: New Feature
> Components: Django Portal
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
>
> {quote}
> tl;dr: CILogon will no longer require Identity Providers (IdPs) to assert
> email addresses and names for new users of OAuth2/OIDC (OpenID Connect)
> clients.
> {quote}
> [https://groups.google.com/a/cilogon.org/forum/#!topic/outages/kksaYVrW1Io]
> This issue to design a user authentication flow that handles missing
> attributes and prompts the user to supply them as necessary.
> h2. Questions
> - [ ] Will we always get a {{preferred_username}} attribute? Question for
> CILogon team
> - [ ] what will Keycloak do if any of these attributes are missing?
> - [ ] can we setup a test setup where CILogon doesn't return
> email/firstName/lastName?
> h2. TODO
> - [ ] proxy Django User model and store the Keycloak/CILogon 'sub' attribute
> as the primary identifier for users
> h2. Design
> h3. User doesn't have first name and/or last name attributes
> - callback handles user authentication
> - fetch userinfo and check for missing attributes
> - note that first and/or last name are missing
> - disable user in Keycloak
> - (?) Question: log the user in with a flag that profile is not complete? Or
> don't log the user in and put the user information somewhere in the session?
> -- I think, log the user in but set a session flag that the profile is not
> complete. in workspace/signals.py and in the UI use this to prevent API calls
> and to prevent the user from seeing UIs that they can't yet interact with.
> - redirect user to web form with profile information filled in
> -- email
> -- email again
> -- first name (if available)
> -- last name (if available)
> - user submits form
> - validate form
> - if form is valid and all required information is supplied, then ...
> -- update the user record in Keycloak
> -- enable the user
> h3. User doesn't have email attribute
> Similar flow to above except
> - send the user an email verification link if the profile is complete and the
> email address has been supplied
> -- more generally, if the user updates their profile information and the
> email changes, need to re-verify the email address
> - when the email verification link is clicked, re-check the the profile is
> complete
> - if profile is complete, update the user record and enable the user
> - otherwise kick the user to the profile form and require the missing profile
> attributes
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
