<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 27, 2017 at 1:06 PM, Alexey Kazakov <span dir="ltr"><<a href="mailto:alkazako@redhat.com" target="_blank">alkazako@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
Hi all,<br>
<br>
After some discussion with Aslak and Max I would lit to share
proposal of User/login model update in almighty-core as part of our
move to Keycloak auth. I'm copying this from
<a class="gmail-m_7461226904653269219moz-txt-link-freetext" href="https://github.com/almighty/almighty-core/issues/672" target="_blank">https://github.com/almighty/<wbr>almighty-core/issues/672</a> (Use keycloak
tokens instead of generating our own ones when serving client auth
requests).
<br>
<br>
<i><b>What we currently have in our model:</b></i><br>
<br>
<b>Identity</b> (represents a user)<br>
<br>
- uuid (generated automatically) - This uuid is used as
"creator" and "assignee" in our payloads and it's also stored in the
JWT token we generate after authentication.<br>
- fullName (human name - string)<br>
- avatarImage (URL string)<br>
- users []User (list of associated users, each user just
represents a email)<br>
<br>
<b>User</b><br>
<br>
- uuid (generated automatically)<br>
- email (just a string)<br>
- identity-uuid (Identity association)<br>
<br>
<b><i>Proposed model:</i></b><br>
<br>
<b>User</b> (represents a user account in our system)<br>
<br>
- uuid (generated automatically) - Our internal user ID. Used
for associations with Logins<br>
- fullName (human name - string)<br>
- avatarImage (URL string)<br>
- logins []Login (list of associated logins)<br>
<br>
<b>Login</b> I actually don't like this name. Can we call it <b>Identity
Provider User</b> or somewhat else to avoid confusions? This is a
representation of user provided by some particular Identity Provider
such as: a) Our Keycloak; b) GitHub (for remote WI's); c) JIRA (for
remote WI's), etc.<br>
<br>
- uuid - Generated automatically for remote WI but in case of KC
the uuid from the KC user is used. This uuid is used as "creator"
and "assignee" in our payloads and it's also represented in the KC
token we retrieve from KC during authentication. So, our token is
always associated with a Login.<br>
- username (string) - Username used by corresponding IDP. It's
not unique in our system (it's supposed to be unique for the
particular IDP though).<br>
- email (string)<br>
- idp (string) - Some IDP key/ID which will indicate from what
IDP we got this Login. Possible values: "keycloak", "github",
"jira", etc.<br>
<br></div></blockquote><div><br></div><div>I see a deviation from the previous model where we stored <b>identity-uuid </b>in the (old)<b>User</b> model.I guess the deviation is because for remote workitems , we only have the "Login" and not the (new model) User. <br></div><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
When a user is logging in we authenticate in our Keycloak (which
uses <a href="http://developers.redhat.com" target="_blank">developers.redhat.com</a> as the default IDP). A new Login is
created. We use uuid of the Keycloak user. idp="keycloak". We also
create a User and associate these User - Login. We return the
retrieved Keycloak token which will be used by UI for
authentication. So there is a strong assassination between a token
and a keyclaok Login.<br>
<br></div></blockquote><div><br></div><div>This sounds good.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
When we import a remote WI (from JIRA, github, etc) we create a
Login which is not associated with any User yet. Open question: how
we associate remote WI's (imported from github, etc) with User. We
would need some manual workflow for that.<br></div></blockquote><div><br><br></div><div>When we import remote workitems from github, are we going to leave the 'email' field blank/null in <b>Login</b> ?<br><br></div><div>One complex way to get user email information in case of github is that the API response for a GH issue <br><br>- <a href="https://api.github.com/repos/almighty/almighty-core/issues/133">https://api.github.com/repos/almighty/almighty-core/issues/133</a><br></div><div>has the user endpoints.<br><br></div><div>- the creator/assignee api url is found in the response as <a href="https://api.github.com/users/aslakknutsen">https://api.github.com/users/aslakknutsen</a> which further provides the email address,full name,etc<br></div><div><br></div><div>- use this email address to associate a <b>Login </b>with a <b>User . </b>Drawback of this is that github allows addition of multiple email addresses which the GH API wouldn't expose.<br><br><br><br></div><div><b>Another way </b>is to use the github user url to uniquely identify a <b>Login</b><br></div><div bgcolor="#FFFFFF"> So the combo of an [ idp "github" + gh user url ] is always going to be unique in the <b>Login </b>table. This could lead to using user urls instead of email for all IDPs ?<br><br><br>
This update will requre a massive refactoring in almighty-core (and
ui probably too) :-(<br>
<br>
Any thoughts?<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>______________________________<wbr>_________________<br>
almighty-public mailing list<br>
<a href="mailto:almighty-public@redhat.com">almighty-public@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/almighty-public" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/almighty-<wbr>public</a><br>
<br></blockquote></div><br></div></div>