kontinuous icon indicating copy to clipboard operation
kontinuous copied to clipboard

Published 20 hours ago verified publisher icon AcalephStorage

Defining a User

Open darkcrux opened this issue 8 years ago • 6 comments

Currently we're just supporting github and any user with proper github creds can create pipelines for repositories they have admin access to. There's barely a user profile.

When we start supporting other SCMs, a user profile might be useful. There might be a case when a user has repositories in both Github and BitBucket and wants to create pipelines for both.

A redesign of how the users are handled may be needed. Right now, if we support multiple SCMs, the user will have to relogin with the OAuth for github/bitbucket/etc to access their repositories. Might not be a good user experience.

darkcrux avatar May 25 '16 09:05 darkcrux

I would imagine similar issues if there was no repo added and all tests were triggered from docker reg webhooks.

Might be worth looking closer at k8s users and the ThirdPartyResource?

hunter avatar May 25 '16 09:05 hunter

An idea of a user profile might look like this:

kontinuous:
  users:
    - {uuid}
        - name: username, taken from sub of jwt or github/bitbucket ID?
          keys:
            github: _encrypted_github_key_
            bitbucket: _encrypted_bitbucket_key_

then an identities map to search for user profiles upon logging in:

kontinuous:
  identities:
    github:
      - {github_id}: {user_uuid}
    bitbucket:
      - {bitbucket_id}: {user_uuid}
    etc:
      - ???

the idea is that a user could have several identities (github, bitbucket, etc). the identities table maps the identity provided by github/bitbucket/auth0/etc to a user profile. This way we can have a user access their github & bitbucket repository as long as they link them to the profile.

we could have the ff login endpoints:

  • /login/github
  • /login/bitbucket
  • etc

For Auth0 and other providers, they can already return a JWT with identities given, so it's just a matter of creating the user profile and identity mapping.

Auth flow will be similar to what we have now with a minor addition:

[github/bitbucket/etc starts here]

  1. user redirects to github/bitbucket then sends auth code to /login/{github,bitbucket}
  2. kontinuous retrieves token from either github/bitbucket
  3. kontinuous creates JWT with github/bitbucket identities added

[auth0, etc starts here]

  1. with a valid JWT, kontinuous searches the identities for matching user profile
  2. if profile is not found: create the user profile and mapping in the identities
  3. update JWT with the user profile (without the keys), just the UUID
  4. return the JWT. A valid JWT should have the user profile UUID

darkcrux avatar May 27 '16 12:05 darkcrux

Nice. I think my only initial comment is that rather than using uuid for user we use the same convention as ABAC with user

hunter avatar May 27 '16 13:05 hunter

related:

for web login via github, bitbucket, etc:

user-oauth-jwt mmd

for oidc login, eg. auth0:

user-oidc-jwt mmd

ps. mermaid-cli is sooo cool.

darkcrux avatar Jun 03 '16 13:06 darkcrux

a few things to note about user and authentication:

  1. need a way to add identities to an existing user (eg. user uses github login, a new user gets created with a github identity and able to access his github repositories. there should be a way to add bitbucket credentials to the existing user to be able to access bitbucket repositories, etc)
  2. support linking/merging of users? (eg. user uses github login, a new user is created. same user uses bitbucket login, a new user is also created. should there be a way to merge these two as a single user? or is it too complicated? should an email address be used to identify existing users?)

darkcrux avatar Jun 03 '16 13:06 darkcrux

login auth and user now follow this pattern. it should be easier to add new login now (bitbucket)

darkcrux avatar Jun 09 '16 04:06 darkcrux