[almighty] User/Login model refactoring

Alexey Kazakov alkazako at redhat.com
Fri Jan 27 07:36:43 UTC 2017 

Hi all,

After some discussion with Aslak and Max I would lit to share proposal 
of User/login model update in almighty-core as part of our move to 
Keycloak auth. I'm copying this from 
https://github.com/almighty/almighty-core/issues/672 (Use keycloak 
tokens instead of generating our own ones when serving client auth 
requests).

/*What we currently have in our model:*/

*Identity* (represents a user)

     - uuid (generated automatically) - This uuid is used as "creator" 
and "assignee" in our payloads and it's also stored in the JWT token we 
generate after authentication.
     - fullName (human name - string)
     - avatarImage (URL string)
     - users []User (list of associated users, each user just represents 
a email)

*User*

     - uuid (generated automatically)
     - email (just a string)
     - identity-uuid (Identity association)

*/Proposed model:/*

*User* (represents a user account in our system)

     - uuid (generated automatically) - Our internal user ID. Used for 
associations with Logins
     - fullName (human name - string)
     - avatarImage (URL string)
     - logins []Login (list of associated logins)

*Login* I actually don't like this name. Can we call it *Identity 
Provider User* or somewhat else to avoid confusions? This is a 
representation of user provided by some particular Identity Provider 
such as: a) Our Keycloak; b) GitHub (for remote WI's); c) JIRA (for 
remote WI's), etc.

     - uuid - Generated automatically for remote WI but in case of KC 
the uuid from the KC user is used. This uuid is used as "creator" and 
"assignee" in our payloads and it's also represented in the KC token we 
retrieve from KC during authentication. So, our token is always 
associated with a Login.
     - username (string) - Username used by corresponding IDP. It's not 
unique in our system (it's supposed to be unique for the particular IDP 
though).
     - email (string)
     - idp (string) - Some IDP key/ID which will indicate from what IDP 
we got this Login. Possible values: "keycloak", "github", "jira", etc.

When a user is logging in we authenticate in our Keycloak (which uses 
developers.redhat.com as the default IDP). A new Login is created. We 
use uuid of the Keycloak user. idp="keycloak". We also create a User and 
associate these User - Login. We return the retrieved Keycloak token 
which will be used by UI for authentication. So there is a strong 
assassination between a token and a keyclaok Login.

When we import a remote WI (from JIRA, github, etc) we create a Login 
which is not associated with any User yet. Open question: how we 
associate remote WI's (imported from github, etc) with User. We would 
need some manual workflow for that.

This update will requre a massive refactoring in almighty-core (and ui 
probably too) :-(

Any thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/almighty-public/attachments/20170126/5b50e122/attachment.htm>

More information about the almighty-public mailing list