Add REST API auth flow for the new UI#15042
Conversation
6b32c58 to
e83eb4a
Compare
e83eb4a to
53420b9
Compare
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
cde0a06 to
243bf0f
Compare
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
243bf0f to
a3edb77
Compare
|
The Workflow run is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks,^Build docs$,^Spell check docs$,^Provider packages,^Checks: Helm tests$,^Test OpenAPI*. |
a3edb77 to
2abef65
Compare
|
The Workflow run is cancelling this PR. Building images for the PR has failed. Follow the workflow link to check the reason. |
4721410 to
dde8280
Compare
4de9415 to
60988fb
Compare
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions. |
| AUTH_OID: "auth_oid", | ||
| AUTH_OAUTH: "auth_oauth", | ||
| AUTH_REMOTE_USER: "auth_remote_user", | ||
| } |
There was a problem hiding this comment.
I think type_mapping can be a constant & be out of this function.
| schema: | ||
| $ref: '#/components/schemas/JwtAuthAndUser' | ||
| '401': | ||
| $ref: '#/components/responses/Unauthenticated' |
There was a problem hiding this comment.
Don't we need more status codes like 50X which happens when the auth configs are wrongly setup & callback fails?
| data = token_schema.load(body) | ||
| except ValidationError as err: | ||
| raise BadRequest(detail=str(err.messages)) | ||
| token = decode_token(data['token']) |
There was a problem hiding this comment.
Couldn't understand the logic here or maybe I misinterpreted it. How is a user going to provide the token of another user?
|
Thanks for the reviews, @msumit, I will revisit this and may have to open a new PR and address a lot of things |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions. |
This PR is to provide authentication to the new UI. The implementation uses the existing Flask Appbuilder authentication method configurations.
First, the react app checks the configuration on the server by sending a GET request to
api/v1/auth-info. This endpoint returns information about the configured auth method. With the information, the react app can then present a login form to the user if necessary.Below I explain the flow for OAuth
OAuth
This authentication uses two endpoints, one is used to get the authorization URL while the other is used for verification and sign-in. The react app makes a GET request to
api/v1/auth-oauth/{provider}with the provider name and redirect url e.gapi/v1/auth-oauth/google?redirect_url=http:localhost:5000, the endpoint responds with authorization URL which the react app will redirect users to.When the user is authenticated by the provider, the provider will redirect user to the redirect_url provided by the react app. The react app should handle the redirection, and make a GET request to server at
api/v1/oauth-authorized/{provider}with the state returned from the provider. If everything is OK, user is logged in and user data is returned.The one advantage we can get using the refresh token is to get ride of auth_backend.
OpenID is not currently implemented.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.