Skip to content
This repository has been archived by the owner on Jul 30, 2019. It is now read-only.

Add a new flow based on the "prompt:none" scope #5

Merged
merged 6 commits into from
Apr 23, 2018
Merged

Add a new flow based on the "prompt:none" scope #5

merged 6 commits into from
Apr 23, 2018

Conversation

rjw57
Copy link
Member

@rjw57 rjw57 commented Apr 11, 2018
edited
Loading

IMPORTANT: this PR is best reviewed commit-wise. When testing, you will need to re-create the OAuth2 clients via the scripts/create-clients.sh script.

This PR addresses #4 by teaching the consent app about a new scope: prompt:none. If this scope is present in the request and there is not currently a user logged in, the request is immediately denied without redirecting to the Raven login dialog. If the user is logged in, the request is processed as per normal. This can be used to support "background" login where we first check to see if we can log in without using a UI and only if that fails do we attempt UI-based login.

Most of the early commits are general tidy-ups required to implement the functionality of the PR.

63b9f71 provides the actual implementation of the prompt:none flow. The exact scope used is configurable via a Django setting.

d0d66be provides documentation for the new flow and adds an expanded section to the documentation on issuing tokens which may be used as a basis for testing this PR.

This PR is required by the new token timeout behaviour in uisautomation/iar-frontend#153.

Closes #4

@rjw57
docker-compose: bump version of hydra
a6356c8 
Bump to the latest version of hydra at the moment (v0.11.12).
@rjw57
tox: fix code coverage omission configuration
49b3f35 
The omit clause in .coveragerc was being ignored since --omit was passed
explicitly on the command line in tox.ini. Remove the explicit --omit.
@rjw57
hydra: make rejection reason configurable
1fc3400 
The rejection reason was hard-coded. In preparation for rejecting the
request due to user not being logged in, make this configurable.
@rjw57
move consent request processing before user authentication
610bf7d 
As a step towards allowing implicit login/prompt=none style workflow,
move the consent processing before the user login.

Fix up tests which assumed consent processing happened before login to
check consent processing before and after login.
@rjw57
add a prompt:none scope with special behaviour
63b9f71 
Recognise a special scope, defaulting to "prompt:none" but configurable
via the CONSENT_PROMPT_NONE_SCOPE setting, which will never redirect the
user to a login page but will accept or reject the consent request based
entirely on the existing login state.

This can be used to implement UI-less login flows where we can detect if
the user can be automatically logged in and, if so, log them in.

Closes uisautomation#4
@rjw57
doc: add section on "prompt:none" flow
d0d66be 
Update documentation and example scripts to allow demonstrating the
"prompt:none" flow. A new page is added to the documentation taking the
user through both the normal and "prompt:none" flow and demonstrating
the difference.
@rjw57 rjw57 requested a review from a team April 11, 2018 13:11
@codecov-io
Copy link

Codecov Report

Merging #5 into master will decrease coverage by 1.47%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master       #5      +/-   ##
==========================================
- Coverage    90.7%   89.23%   -1.48%     
==========================================
  Files          21        8      -13     
  Lines         355      130     -225     
==========================================
- Hits          322      116     -206     
+ Misses         33       14      -19
Impacted Files Coverage Δ
ravenconsent/hydra.py 76.92% <100%> (+0.45%) ⬆️
ravenconsent/defaultsettings.py 100% <100%> (ø) ⬆️
ravenconsent/views.py 100% <100%> (ø) ⬆️
manage.py
ucamoauth2consent/tests/runner.py
ucamoauth2consent/settings/tox.py
ucamoauth2consent/settings/__init__.py
ucamoauth2consent/settings/base.py
ravenconsent/tests/test_hydra.py
... and 5 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 321fa36...d0d66be. Read the comment docs.

rjw57 added a commit to rjw57/experimental-mock-consent-app that referenced this pull request Apr 12, 2018
@rjw57
implement prompt:none flow
8342e1e 
Implement prompt:none flow to match that proposed in
uisautomation/hydra-consent-app#5. This commit is intended to keep the
mock consent app and real consent app in lock step with regards to
features.

Update the app to cache the current subject in the flask session and
automatically grant requests if there is a user in the session. This
approximates the existing Raven behaviour.

Teach the app about the "prompt:none" scope which signals that the
request should be immediately rejected if there is not a user in the
session.
This was referenced Apr 12, 2018
Merged
Merged
Open
@abrahammartin abrahammartin merged commit 36e1000 into uisautomation:master Apr 23, 2018
@rjw57 rjw57 deleted the issue-4-prompt-none-workflow branch April 23, 2018 15:13
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@msb msb msb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rjw57 @codecov-io @msb @abrahammartin