Implement globus_auth (new Globus OAuth plus groups) provider for webauthn

Question

Implement globus_auth (new Globus OAuth plus groups) provider for webauthn

Closed this issue 9 years ago · 4 comments

ljpearlman commented 9 years ago

Answer 1 · 2016-02-10T19:53:13.000Z

Just parking this here so I don't have to search my mail for it:

FYI – the scope names for Globus auth will be changing this afternoon.

This does not affect the legacy support, but will need to be used in your Globus Auth client.

From: Brendan McCollam [mailto:bjmc@globus.org]
Sent: Wednesday, February 10, 2016 12:54 PM
To: auth@globus.org
Subject: Beta deploy this afternoon will remove many user consents

Hello all,

We're going to be re-deploying to the beta environment this afternoon. This deploy will include a number of UX improvements and bugfixes, including more informative (and hopefully helpful) error messages during identity linking operations, changes to the way per-client branding is applied, and the way we present scopes to users for approval.

The most dramatic part of this deploy is that we will be switching from the existing short, local scope names to a new URN format:

Old

New

auth:manage_identities

removed

auth:view_identities

urn:globus:auth:scope:auth.globus.org:view_identities

groups:all

urn:globus:auth:scope:nexus.api.globus.org:groups

transfer:all

urn:globus:auth:scope:transfer.api.globus.org:all

atmosphere:all

urn:globus:auth:scope:use.jetstream-cloud.org:all

publish:all

urn:globus:auth:scope:publish.api.globus.org:all

The removal of the 'auth:manage_identities" scope means that any user consents involving that scope (which includes all Globus webapp consents) will be removed, and users will have to re-approve that consent with the new "urn:globus:auth:scope:auth.globus.org:view_identities" scope.

Please let us know if you run into any issues.

Best,
Brendan

Answer 2 · 2016-02-19T06:10:12.000Z

This is probably not going to be done by Monday. I've been getting 401 errors in the exchange-code-for-token requests. Kyle and I have both been working on this; I'm not sure how long this will take to fix (and then there's the new group interface to deal with after that).

Kyle sent a java program that apparently works for him; it doesn't work for me.

One complication is that my dev host's whitelist entry is wrong (//ermrest/authn/session instead of /ermrest/authn/session), but at this point I don't think that's what's causing this problem (it has necessitated adding config options to override the default url-building behavior, which we'll probably need for other hosts at some point, since this seems to be a fairly common Globus whitelist error).

Answer 3 · 2016-03-18T01:17:35.000Z

@ljpearlman should we close this now that I have witnessed it on synapse-dev w/ globus_auth? or do you want to keep it open until it is merged to master later?

Answer 4 · 2016-03-21T23:40:05.000Z

Let's close it. I created #24 for the merge.