<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/27/2017 04:07 AM, Pete Muir
wrote:<br>
</div>
<blockquote
cite="mid:CALJ_rCXhrTsmdpWYbScvSeQM8oP7owwWpj-QMBrDUHgo5TJW7Q@mail.gmail.com"
type="cite">
<div dir="ltr">Related to this, we need some additional info that
relates to the users profile in the UI:
<div><br>
</div>
<div>This is our UI model.</div>
<div><br>
</div>
<div>
<div>export class Profile {</div>
<div> fullName: string;</div>
<div> imageURL: string;</div>
<div> bio?: string;</div>
<div> username?: string;</div>
</div>
</div>
</blockquote>
Username is optional in UI? Username is required and immutable in
Keycloak. So, we will have it when user sign in/up via
developer.redhat.com. And we can't change it.<br>
<br>
<blockquote
cite="mid:CALJ_rCXhrTsmdpWYbScvSeQM8oP7owwWpj-QMBrDUHgo5TJW7Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div> url?: string;</div>
<div> emails?: string[];</div>
<div> primaryEmail?: string;</div>
<div> notificationEmail?: string;</div>
<div> publicEmail?: string;</div>
<div> primaryEmailPrivate?: boolean;</div>
<div> emailPreference?: string;</div>
<div> notificationMethods?: string[];</div>
<div>}</div>
</div>
</div>
</blockquote>
Some of these fields already exist in Keycloak. Some we can/should
add to either our internal model/DB or directly to our Keycloak as
user attributes. If we add them as attributes to Keycloak then they
will be available in the token too. But we probably don't need all
of this info in the token anyway. So, I think keeping all additional
info in our DB will be easier.<br>
Another question. Do you expect your developers.redhat.com account
updated/changed if you edit your profile in fabric8 ui? Full Name or
Email. It seems to be technically possible but we will probably need
to communicate with the RHD Keycloak directly to do so. So, I hope
this is something we can take care of after the summit. WDYT?<br>
<br>
<blockquote
cite="mid:CALJ_rCXhrTsmdpWYbScvSeQM8oP7owwWpj-QMBrDUHgo5TJW7Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Not 100% todo with this thread (as this is their profile,
not their login info), but may help you.</div>
</div>
</blockquote>
<br>
This is definitely useful information. Thanks Pete! We will take it
into account. I would change our user/login model step by step. We
can add more fields to the model later when we're done with the
essential login/token changes in the model.<br>
<br>
Thanks.<br>
<br>
<blockquote
cite="mid:CALJ_rCXhrTsmdpWYbScvSeQM8oP7owwWpj-QMBrDUHgo5TJW7Q@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 January 2017 at 07:36, Alexey
Kazakov <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:alkazako@redhat.com" target="_blank">alkazako@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi all,<br>
<br>
After some discussion with Aslak and Max I would lit to
share proposal of User/login model update in almighty-core
as part of our move to Keycloak auth. I'm copying this
from <a moz-do-not-send="true"
class="m_2832717789264209377moz-txt-link-freetext"
href="https://github.com/almighty/almighty-core/issues/672"
target="_blank">https://github.com/almighty/<wbr>almighty-core/issues/672</a>
(Use keycloak tokens instead of generating our own ones
when serving client auth requests). <br>
<br>
<i><b>What we currently have in our model:</b></i><br>
<br>
<b>Identity</b> (represents a user)<br>
<br>
- uuid (generated automatically) - This uuid is used
as "creator" and "assignee" in our payloads and it's also
stored in the JWT token we generate after authentication.<br>
- fullName (human name - string)<br>
- avatarImage (URL string)<br>
- users []User (list of associated users, each user
just represents a email)<br>
<br>
<b>User</b><br>
<br>
- uuid (generated automatically)<br>
- email (just a string)<br>
- identity-uuid (Identity association)<br>
<br>
<b><i>Proposed model:</i></b><br>
<br>
<b>User</b> (represents a user account in our system)<br>
<br>
- uuid (generated automatically) - Our internal user
ID. Used for associations with Logins<br>
- fullName (human name - string)<br>
- avatarImage (URL string)<br>
- logins []Login (list of associated logins)<br>
<br>
<b>Login</b> I actually don't like this name. Can we call
it <b>Identity Provider User</b> or somewhat else to
avoid confusions? This is a representation of user
provided by some particular Identity Provider such as: a)
Our Keycloak; b) GitHub (for remote WI's); c) JIRA (for
remote WI's), etc.<br>
<br>
- uuid - Generated automatically for remote WI but in
case of KC the uuid from the KC user is used. This uuid is
used as "creator" and "assignee" in our payloads and it's
also represented in the KC token we retrieve from KC
during authentication. So, our token is always associated
with a Login.<br>
- username (string) - Username used by corresponding
IDP. It's not unique in our system (it's supposed to be
unique for the particular IDP though).<br>
- email (string)<br>
- idp (string) - Some IDP key/ID which will indicate
from what IDP we got this Login. Possible values:
"keycloak", "github", "jira", etc.<br>
<br>
When a user is logging in we authenticate in our Keycloak
(which uses <a moz-do-not-send="true"
href="http://developers.redhat.com" target="_blank">developers.redhat.com</a>
as the default IDP). A new Login is created. We use uuid
of the Keycloak user. idp="keycloak". We also create a
User and associate these User - Login. We return the
retrieved Keycloak token which will be used by UI for
authentication. So there is a strong assassination between
a token and a keyclaok Login.<br>
<br>
When we import a remote WI (from JIRA, github, etc) we
create a Login which is not associated with any User yet.
Open question: how we associate remote WI's (imported from
github, etc) with User. We would need some manual workflow
for that.<br>
<br>
This update will requre a massive refactoring in
almighty-core (and ui probably too) :-(<br>
<br>
Any thoughts?<br>
</div>
<br>
______________________________<wbr>_________________<br>
almighty-public mailing list<br>
<a moz-do-not-send="true"
href="mailto:almighty-public@redhat.com">almighty-public@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/almighty-public"
rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/almighty-<wbr>public</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>