Page MenuHomeSoftware Heritage

auth: Add user profile UI for managing account and bearer tokens
ClosedPublic

Authored by anlambert on Oct 21 2020, 2:47 PM.

Details

Summary

Add a new view enabling for a user to manage its account (email, password)
but also its bearer tokens for Web API authentication.

Account management is done by embedding Keycloak account UI in swh-web
through an iframe.

This requires an upgrade of the SWH Keycloak theme and content security policy
needs also to be updated in Keycloak in order to allow such embedding from the
*.softwareheritage.org domains (diff for puppet-swh-site incoming).

User information and permissions are displayed in the view and a link to the Software
Heritage Account Management is offered to edit personal information.

The view is reachable by clicking on the username on the top right part of
the Web UI once authenticated.

Below are some screenshots of the result:

Closes T2718

Depends on D4320

Diff Detail

Repository
rDWAPPS Web applications
Branch
oidc-profile-page
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 16556
Build 25515: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 25514: arc lint + arc unit

Event Timeline

Build is green

Patch application report for D4319 (id=15279)

Rebasing onto d3b1bf3839...

Current branch diff-target is up to date.
Changes applied before test
commit 02c55cc09acc9227173027bf50402692cd7ee35a
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Oct 21 11:47:32 2020 +0200

    auth: Add user profile UI for managing account and bearer tokens
    
    Add a new view enabling for a user to manage its account (email, password)
    but also its bearer tokens for Web API authentication.
    
    Account management is done by embedding Keycloak account UI in swh-web
    through an iframe (content security policy needs to be updated in Keycloak
    in order to allow such embedding from the *.softwareheritage.org domains).
    
    The view is reachable by clicking on the username on the top right part of
    the Web UI once authenticated.
    
    Closes T2718

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/425/ for more details.

This revision is now accepted and ready to land.Oct 21 2020, 4:13 PM
olasd requested changes to this revision.Oct 21 2020, 8:47 PM
olasd added a subscriber: olasd.

Is embedding the keycloak UI via an iframe something that people really do?

As a very security sensitive app (we want to gradually migrate staff access to most services to keycloak), I'd like to keep auth.softwareheritage.org as hardened as possible. Allowing to embed it in an iframe, even restricted to a given set of domains, opens it up to cross-frame scripting vulnerabilities (https://owasp.org/www-community/attacks/Cross_Frame_Scripting) if malicious (or buggy) code is introduced in these domains.

I'd much rather have the swh-webapp profile page:

  • show the profile info imported from keycloak
  • link to the built-in keycloak profile management page
  • allow the user to manage the swh-web specific tokens

even if that means a split user experience, rather than have the keycloak profile management embedded as an iframe.

This revision now requires changes to proceed.Oct 21 2020, 8:47 PM
In D4319#107533, @olasd wrote:

Is embedding the keycloak UI via an iframe something that people really do?

As a very security sensitive app (we want to gradually migrate staff access to most services to keycloak), I'd like to keep auth.softwareheritage.org as hardened as possible. Allowing to embed it in an iframe, even restricted to a given set of domains, opens it up to cross-frame scripting vulnerabilities (https://owasp.org/www-community/attacks/Cross_Frame_Scripting) if malicious (or buggy) code is introduced in these domains.

I'd much rather have the swh-webapp profile page:

  • show the profile info imported from keycloak
  • link to the built-in keycloak profile management page
  • allow the user to manage the swh-web specific tokens

even if that means a split user experience, rather than have the keycloak profile management embedded as an iframe.

Ack. I thought setting the content security policy was sufficient to protect against cross scripting attacks but did not think
about malicious code injection. As most of our frontend code is retrieved from npm, it seems indeed more secure to avoid
the iframe embedding here.

I will do the requested changes tomorrow.

Update:

  • Remove Keycloak Account UI embedding through an iframe
  • Display user information in Account tab
  • Add a link to Keycloak Account management to edit personal information

Build has FAILED

Patch application report for D4319 (id=15328)

Rebasing onto d3b1bf3839...

Current branch diff-target is up to date.
Changes applied before test
commit f6ec8e8e0019246c49797ef1eb2ee9111734b86a
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Oct 21 11:47:32 2020 +0200

    auth: Add user profile UI for managing account and bearer tokens
    
    Add a new view enabling for a user to manage its account (email, password)
    but also its bearer tokens for Web API authentication.
    
    Account details are displayed in the view but edition of personal information
    must be done through the dedicated Keycloak account management UI (link to it
    is available in the view).
    
    The view is reachable by clicking on the username on the top right part of
    the Web UI once authenticated.
    
    Closes T2718

Link to build: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/426/
See console output for more information: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/426/console

Update: Remove useless : character in table headers

Build has FAILED

Patch application report for D4319 (id=15329)

Rebasing onto d3b1bf3839...

Current branch diff-target is up to date.
Changes applied before test
commit 1609142000859ded1bee3d9cfc0d992c1e59f4e5
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Oct 21 11:47:32 2020 +0200

    auth: Add user profile UI for managing account and bearer tokens
    
    Add a new view enabling for a user to manage its account (email, password)
    but also its bearer tokens for Web API authentication.
    
    Account details are displayed in the view but edition of personal information
    must be done through the dedicated Keycloak account management UI (link to it
    is available in the view).
    
    The view is reachable by clicking on the username on the top right part of
    the Web UI once authenticated.
    
    Closes T2718

Link to build: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/427/
See console output for more information: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/427/console

Build has FAILED

Patch application report for D4319 (id=15329)

Rebasing onto d3b1bf3839...

Current branch diff-target is up to date.
Changes applied before test
commit 1609142000859ded1bee3d9cfc0d992c1e59f4e5
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Oct 21 11:47:32 2020 +0200

    auth: Add user profile UI for managing account and bearer tokens
    
    Add a new view enabling for a user to manage its account (email, password)
    but also its bearer tokens for Web API authentication.
    
    Account details are displayed in the view but edition of personal information
    must be done through the dedicated Keycloak account management UI (link to it
    is available in the view).
    
    The view is reachable by clicking on the username on the top right part of
    the Web UI once authenticated.
    
    Closes T2718

Link to build: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/429/
See console output for more information: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/429/console

Build is green

Patch application report for D4319 (id=15356)

Rebasing onto d3b1bf3839...

Current branch diff-target is up to date.
Changes applied before test
commit e59d91ace16f38790cddb408b7fb29d96d3c24da
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Oct 21 11:47:32 2020 +0200

    auth: Add user profile UI for managing account and bearer tokens
    
    Add a new view enabling for a user to manage its account (email, password)
    but also its bearer tokens for Web API authentication.
    
    Account details are displayed in the view but edition of personal information
    must be done through the dedicated Keycloak account management UI (link to it
    is available in the view).
    
    The view is reachable by clicking on the username on the top right part of
    the Web UI once authenticated.
    
    Closes T2718

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/430/ for more details.

This revision is now accepted and ready to land.Oct 23 2020, 10:29 AM