jbrowse
jbrowse copied to clipboard
GMOD
make sure OAuth2 implementation is polished and configurable
Do you think you could sketch out the broad outline of the requests that would be made to authenticate with LDAP?
Based on my initial, very cursory, reading about LDAP, it seems that JBrowse could either
a.) define some kind of standard REST authentication protocol that people could implement with some server side code, where the server side would be doing the actual LDAP and the client side would just be communicating with that via REST, or
b.) look into implementing LDAP authentication directly with WebSockets. This would be nicer.
Keiran, do you have time to look into the feasibility of option B?
Well, nevermind. There's not any way around the HTTP server needing to check authorization for each request JBrowse makes. So the server side would need to be doing LDAP no matter what.
It's just a question of what server software will be doing LDAP, and how it will interact with JBrowse.
So .... yeah. This is really more about how the server side will interact with JBrowse, and also how it will interact with the LDAP server. There are existing things for this, like apache modules that go from HTTP Basic/Digest to LDAP (http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html).
Any server-side code that JBrowse added would need to think about this, but there is not currently any server-side code.
Hi Robert,
I was thinking more along the lines of providing LDAP support only for those who already have LDAP setup on their site, not actually providing any of the server side implementation.
e.g.:
Server: ldap-ro.internal.sanger.ac.uk Available unencrypted (port XXX) or encrypted (port XXX), although encrypted channels will need the Sanger CA certificate installed, or the client needs to be told to ignore certificate errors.
The usual 'Base DN' is: dc=sanger,dc=ac,dc=uk
User accounts are under: ou=people,dc=sanger,dc=ac,dc=uk
Groups are under: ou=group,dc=sanger,dc=ac,dc=uk
Assuming SSL is available plain text passwords can be protected: http://www.tldp.org/HOWTO/LDAP-HOWTO/authentication.html
If I understand LDAP correctly, in that scenario, the way to go would probably be writing server-side code that provides HTTP Basic, HTTP Digest, or OAuth2 authentication and uses LDAP to keep all the credentials and permissions.
Does that sound reasonable?
Perhaps I just don't understand the problem correctly. There seem to be modules available which don't require any server side code other than an ldap server.
https://github.com/trentm/node-ldapauth
Is there a problem using external libraries? the licence looks fine
The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
That's for node.js, which runs on the server side. You would use that if you were to write your backend in JavaScript.
If you're doing access control, the client is not really under your control, so it has to be the server code that decides who the client is ("authentication"), and whether the client has access to something or not ("authorization").
All the client really can do is provide a UI for gathering the credentials (e.g. username/password), and then decorate each request with either the credentials themselves (as in HTTP Basic), or a digest of them (as in HTTP Digest), or a token that the server has issued to use in lieu of them, as in OAuth2. And this is what the JBrowse auth system does, and really all it could ever do. Everything would just have to be variations on that: a UI for gathering credentials, some logic for asking the server if they are valid (purely for advising the user; LDAP could maybe be used for this), and then providing the credentials (or auth tokens or whatever) with every request.
So, since JBrowse already implements logic for doing OAuth2 or HTTP Basic or HTTP Digest, might as well implement that as the server's interface to JBrowse.
I knew I was missing something. Just asked one of our site wide web-developers about the options above:
I'm 99% of the way through an OAuth2 implementation
- I've tested in both the web server and client flow implementations.....
So looks like we should be able to test OAuth2.
Alright, changing this ticket to focus on making sure the JBrowse OAuth2 implementation is polished up and configurable.
Hi,
I just wanted to ping this issue.
I'm interested in a potential GSOC project involving JBrowse - implementation of a nice and elegant chat feature (with potentially further social features). Basic authenication is on the cards regarding the implementation of this.
I just wanted to ask as to how much support does JBrowse currently provided for oAuth? Is there already an authentication system in place?
Thanks.
Nothing is there at this point, but by the time the GSoC development starts, we should have something in place.
Sounds good! Would it be OK to write the proposal in mind with the assumption that OAuth will be in place by the time development starts with GSoC? (I know it's a pretty trivial question - but I want to make sure I communicate my proposal clearly :))
Thanks for the reply.
Looking at this issue again, it's pretty non-specific and needs some rewriting into specific things that need to be done.
Are you guys still interested in OAuth 2 support from JBrowse?
I guess the real question is what are the options and what different levels of control can the provide. http_basic + ldap is currently working for us as we have to link to unix user groups.