mattjackson220 opened a new pull request #3763: Oauth authentication rebase URL: https://github.com/apache/trafficcontrol/pull/3763 ## What does this PR (Pull Request) do? Sets up integration with OAuth providers to allow Single Sign On instead of username/password login to Traffic Portal. It defaults to disabled. Once OAuth is set up, login will follow these steps: - User will go to TP login page as usual, for example at tp.domain.com. If OAuth is enabled, a single button will be visible to login with SSO. - When button is clicked, it will redirect to the OAuth provider URL from the traffic_portal_properties.json. - OAuth provider will authenticate the user using SSO. If user is not logged in, they will be redirected to SSO login page. If user is logged in, they will be redirected to tp.domain.com/#!/sso?auth_token=encryptedTokenFromOAuthProvider - the /sso page will parse the token and POST to the API /user/login/oauth endpoint - the API /user/login/oauth endpoint will decode and validate the token, cross reference the Json Key Set URL against the whitelisted URLs in the cdn.conf file, query the database to get the user's role, and if all of that is successful, return a cookie. - If the login is successful, the user will be redirected to the page they were trying to see. If login was unsuccessful, a 401 error will be returned and the user will be redirected back to the login page. - [x] This PR is not related to any Issue ## Which Traffic Control components are affected by this PR? - Documentation - Traffic Ops - Traffic Portal ## What is the best way to verify this PR? To test using CDN In A Box: - Update config.sh to : "whitelisted_oauth_urls": [ "insert domain for your expected Json Key Set returned by oAuth provider" ] - Update traffic_portal_properties.json to: "oAuth": { "_comment": "Opt-in OAuth properties for SSO login", "enabled": true, "oAuthUrl": "insert your oAuth provider URL", "oAuthTokenQueryParam": "insert your oAuth provider's token query parameter" } - Run CDN in a box - Verify new login page only shows button to login with SSO - Click button with Network panel open and verify that it makes call to OAuth provider - Verify that login failed - Login to db container: docker exec -it cdn-in-a-box_db_1 /bin/bash - Login to postgres psql -d traffic_ops -U traffic_ops - Insert your user into db insert into tm_user (username, role, tenant_id) values ('yourUserId', (SELECT id FROM role WHERE name = 'admin'), (SELECT id FROM tenant WHERE name='root')); - Click Login button again, Verify call to OAuth provider, Verify that login succeeds - Log out - Try to go directly to /#!/servers endpoint - Verify it requires login and shows SSO login page - Click Login - Verify call to OAuth provider, verify login successful, verify it redirects to /#!/servers endpoint - Update config.sh to : "whitelisted_oauth_urls": [] - Restart Traffic Ops - Try to log in and verify it returns the following error: "Key URL from token is not included in the whitelisted urls. Received: //url" ## The following criteria are ALL met by this PR - [x] This PR includes tests OR I have explained why tests are unnecessary - [x] This PR includes documentation OR I have explained why documentation is unnecessary - [x] This PR includes an update to CHANGELOG.md OR such an update is not necessary - [x] This PR includes any and all required license headers - [x] This PR ensures that database migration sequence is correct OR this PR does not include a database migration - [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the Apache Software Foundation's security guidelines](https://www.apache.org/security/) for details) <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -->
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
