Plugins oauth2 #1584
Plugins oauth2 #1584
Conversation
|
Just to double check, the plan is to close #1562 and fully review this one, right? |
qiita_core/support_files/server.key
Outdated
There was a problem hiding this comment.
Maybe I'm missing something here...
Should this be a public key, not a private key?
There was a problem hiding this comment.
Nope, the server needs the private key to run.
There was a problem hiding this comment.
Will the server key be automatically regenerated? Otherwise, distributing a
private key is usually not a good idea
On Dec 22, 2015 09:13, "Jose Navas" notifications@github.com wrote:
In qiita_core/support_files/server.key
#1584 (comment):@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----Nope, the server needs the private key to run.
—
Reply to this email directly or view it on GitHub
https://github.com/biocore/qiita/pull/1584/files#r48275147.
|
@josenavas could you update your branch? Note that I merged #1562 with the idea that all test should pass on this one. |
qiita_db/handlers/oauth2.py
Outdated
There was a problem hiding this comment.
@mortonjt this still needs a pull and update before review.
|
Done |
|
Now this has conflicts ... could you fix? Thanks. |
|
Done |
|
👍 when tests pass. |
|
Note that this PR is going to have failures, @josenavas can you fix? |
There was a problem hiding this comment.
This is duplicated from setUp
There was a problem hiding this comment.
I can't remove this one - tests fail. The other 2, however, have been removed.
|
Tests should be passing right now. |
|
Thanks, one more question, should the values of the keys be shown in the qiita-test-install output? |
|
That's probably a good point. However, how is that going to scale? Meaning, as the number of plugins increase, how ugly is going to be showing that list? Do you think that adding to qiita-test-install output is the best one, or should we add a flag, --show-plugin-info that show such information? If so, we can potentially remove the print statements from the patch and just point to the script. What do you think? |
|
I thought the plan was to have a certificate per system not per plugin, is that inaccurate? |
|
The certificate is for the system but each plugin has its own client id and client secret. |
|
IMOO is fine to display all the plugins ids/secrets in the qiita-test-install by default but fine if you want to add a flag for this. |
|
Ok, thanks! Will try to update later today - busy with classes right now... |
|
That seems like a bad security issue if we are going to have people post their qiita-test-install outputs anywhere for debugging, like we do with print_qiime_config, as it will expose all the system's client username and passwords. Flag would be safer, but this issue may still happen if someone accidentally posts their output with the flag on. |
|
IMOO this is fine and why we have an email for help and not a forum. At least for the moment. |
|
Ok, I just realized that to do this correctly I need to do some modifications on the DB. The issue is that the system does not know which client_id belongs to each plugin and although @squirrelo suggested that is not needed for the oauth2 workflow, it is actually needed for the system to keep track of ownerships. I have to work in something else right now, but I will update the PR soon. |
|
PR updated |
qiita_db/support_files/qiita-db.dbs
Outdated
|
Thanks. One minor comment and then 👍 |
|
Comments addressed |
|
What do you mean ownerships? By oauth2 standards, there are no specific ownerships for keys. All you transmit is the client id and client secret, and no other information. If you want to transmit the plugin id or other information as well, that is no longer following oauth2 specification, and we need to discuss this. |
|
I'm not transmitting this information anywhere - is a information that the system needs to know to inform the user which client id and client secret needs to provide to the plugin config file - does it make sense? |
|
Not really. There's no reason we couldn't use a single client id/secret per system for app plugins if we wanted to, and this may actually make sense for single-computer systems like laptop deploys, since it means the user only needs one client login instead of many. The multi-client login does makes sense for larger or distributed setups, however. |
|
Ok this is getting annoying - in one of my previous comments I stated that each plugin has its own cliend_id/client_secret pair. If you didn't agree with that, you should raise up your concern then, instead of wasting my time. I'm not going to continue working on this until we reach a consensus. |
|
There is nothing in the code that limits the use of the same id/secret if the user chooses to, right? In that case, we are covering both scenarios, right? |
|
Yes - right now we are covering both scenarios. |
|
I'm unsure why the tests are failing here - my guess is that it has to do with the Oauth2 authorization. I've done a small change to see if tests pass now as I can't reproduce in my machine. |
|
Ok, it looks like it was a timing issue |
|
@squirrelo ping |
5 participants
This modifies the plugins so they work with OAuth2.
This includes the commits from @squirrelo in #1562