<div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On 27 Jan 2017 10:23 pm, "Alexey Kazakov" <<a href="mailto:alkazako@redhat.com">alkazako@redhat.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="quoted-text">
<div class="m_-2782429945630418526moz-cite-prefix">On 01/27/2017 04:07 AM, Pete Muir
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Related to this, we need some additional info that
relates to the users profile in the UI:
<div><br>
</div>
<div>This is our UI model.</div>
<div><br>
</div>
<div>
<div>export class Profile {</div>
<div> fullName: string;</div>
<div> imageURL: string;</div>
<div> bio?: string;</div>
<div> username?: string;</div>
</div>
</div>
</blockquote></div>
Username is optional in UI? Username is required and immutable in
Keycloak. So, we will have it when user sign in/up via
<a href="http://developer.redhat.com" target="_blank">developer.redhat.com</a>. And we can't change it.</div></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">It's only optional in the UI as we are currently not getting it in the payload we get from KC and have to stub it out. If we get the username from KC, it will change to required. Immutable is fine.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div class="quoted-text"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div> url?: string;</div>
<div> emails?: string[];</div>
<div> primaryEmail?: string;</div></div></div></blockquote></div></div></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">This one also shouldn't be optional, we are just missing it from KC right now.</div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div class="quoted-text"><blockquote type="cite"><div dir="ltr"><div>
<div> notificationEmail?: string;</div>
<div> publicEmail?: string;</div>
<div> primaryEmailPrivate?: boolean;</div>
<div> emailPreference?: string;</div>
<div> notificationMethods?: string[];</div>
<div>}</div>
</div>
</div>
</blockquote></div>
Some of these fields already exist in Keycloak. Some we can/should
add to either our internal model/DB or directly to our Keycloak as
user attributes. If we add them as attributes to Keycloak then they
will be available in the token too. But we probably don't need all
of this info in the token anyway. So, I think keeping all additional
info in our DB will be easier.<br></div></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">Yes some like notification method definitely don't need to go in the token, so I agree with your design. When you are ready let us know the calls to make and we can wire up the UI.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
Another question. Do you expect your <a href="http://developers.redhat.com" target="_blank">developers.redhat.com</a> account
updated/changed if you edit your profile in fabric8 ui?</div></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">That was the design from Todd, but I don't feel it is MVP, so of we can just provide a read only view and a link to d.r.c to update it, I think that will work. Do you know the URL for this? If so, could you file a fabric8-ui issue for the fields that will be read only and the URL, and eg Mitch or I can update the UI.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"> Full Name or
Email. It seems to be technically possible but we will probably need
to communicate with the RHD Keycloak directly to do so. So, I hope
this is something we can take care of after the summit. WDYT?<div class="quoted-text"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Not 100% todo with this thread (as this is their profile,
not their login info), but may help you.</div>
</div>
</blockquote>
<br></div>
This is definitely useful information. Thanks Pete! We will take it
into account. I would change our user/login model step by step. We
can add more fields to the model later when we're done with the
essential login/token changes in the model.<br></div></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">Sounds good. We are mocking all of this in the UI right now, so we are not blocking on this. Username and email access is the top priority in the UI, as those are quite fundamental, and mean we have hacks to make stuff work (look up user account using full name ;-).</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<br>
Thanks.<div class="elided-text"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 January 2017 at 07:36, Alexey
Kazakov <span dir="ltr"><<a href="mailto:alkazako@redhat.com" target="_blank">alkazako@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi all,<br>
<br>
After some discussion with Aslak and Max I would lit to
share proposal of User/login model update in almighty-core
as part of our move to Keycloak auth. I'm copying this
from <a class="m_-2782429945630418526m_2832717789264209377moz-txt-link-freetext" href="https://github.com/almighty/almighty-core/issues/672" target="_blank">https://github.com/almighty/al<wbr>mighty-core/issues/672</a>
(Use keycloak tokens instead of generating our own ones
when serving client auth requests). <br>
<br>
<i><b>What we currently have in our model:</b></i><br>
<br>
<b>Identity</b> (represents a user)<br>
<br>
- uuid (generated automatically) - This uuid is used
as "creator" and "assignee" in our payloads and it's also
stored in the JWT token we generate after authentication.<br>
- fullName (human name - string)<br>
- avatarImage (URL string)<br>
- users []User (list of associated users, each user
just represents a email)<br>
<br>
<b>User</b><br>
<br>
- uuid (generated automatically)<br>
- email (just a string)<br>
- identity-uuid (Identity association)<br>
<br>
<b><i>Proposed model:</i></b><br>
<br>
<b>User</b> (represents a user account in our system)<br>
<br>
- uuid (generated automatically) - Our internal user
ID. Used for associations with Logins<br>
- fullName (human name - string)<br>
- avatarImage (URL string)<br>
- logins []Login (list of associated logins)<br>
<br>
<b>Login</b> I actually don't like this name. Can we call
it <b>Identity Provider User</b> or somewhat else to
avoid confusions? This is a representation of user
provided by some particular Identity Provider such as: a)
Our Keycloak; b) GitHub (for remote WI's); c) JIRA (for
remote WI's), etc.<br>
<br>
- uuid - Generated automatically for remote WI but in
case of KC the uuid from the KC user is used. This uuid is
used as "creator" and "assignee" in our payloads and it's
also represented in the KC token we retrieve from KC
during authentication. So, our token is always associated
with a Login.<br>
- username (string) - Username used by corresponding
IDP. It's not unique in our system (it's supposed to be
unique for the particular IDP though).<br>
- email (string)<br>
- idp (string) - Some IDP key/ID which will indicate
from what IDP we got this Login. Possible values:
"keycloak", "github", "jira", etc.<br>
<br>
When a user is logging in we authenticate in our Keycloak
(which uses <a href="http://developers.redhat.com" target="_blank">developers.redhat.com</a>
as the default IDP). A new Login is created. We use uuid
of the Keycloak user. idp="keycloak". We also create a
User and associate these User - Login. We return the
retrieved Keycloak token which will be used by UI for
authentication. So there is a strong assassination between
a token and a keyclaok Login.<br>
<br>
When we import a remote WI (from JIRA, github, etc) we
create a Login which is not associated with any User yet.
Open question: how we associate remote WI's (imported from
github, etc) with User. We would need some manual workflow
for that.<br>
<br>
This update will requre a massive refactoring in
almighty-core (and ui probably too) :-(<br>
<br>
Any thoughts?<br>
</div>
<br>
______________________________<wbr>_________________<br>
almighty-public mailing list<br>
<a href="mailto:almighty-public@redhat.com" target="_blank">almighty-public@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/almighty-public" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/almighty-public</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div>
</blockquote></div><br></div></div></div>