Code Monkey home page Code Monkey logo

guisso's Introduction

GUISSO

Build Status

GUISSO (GUISSO Unveils InSTEDD Single Sign On) is an OpenID and OAuth server for the InSTEDD platform of applications. It is currently in use in Hub, mBuilder, ResourceMap, Verboice and RemindEm, among others.

OpenID

GUISSO acts as an OpenID provider, using a local database of users (powered by devise) or by using Google as OpenID provider. The suggested way to use GUISSO for login in your Rails application is via the GUISSO Rails gem, which relies on devise to handle user login through GUISSO. Refer to the gem's README for more info on the setup.

GUISSO handles applications in the instedd.org domain differently, since no end-user confirmation is required by these applications when using GUISSO for authentication. Furthermore, GUISSO will also set a gem for the *.instedd.org domains with information on the current user; which is picked up by the GUISSO Rails gem to automatically log in and log out the current user, in order to implement seamless single sign on.

OAuth2

GUISSO also acts as an OAuth2 authoriser. Both client applications and resource providers must be registered in GUISSO as Applications. Applications are globally identified by their hostname and port (the latter is included if and only if it is a non-standard port; so mbuilder.instedd.org and local.instedd.org:3000 are valid, but mbuilder.instedd.org:80 is not), and can be marked by an admin as trusted. Note that in order to act as a resource provider, an application must be trusted.

Ruby client

OAuth2 client applications are recommended to use the GUISSO Ruby client gem for making requests to resource providers using GUISSO as authorisation provider. Refer to the GuissoRestClient class for more information.

A config/guisso.yml file is required with the URL to GUISSO and the client ID and secret; this file can be genereated directly from the application's configuration in GUISSO.

Rails server

The GUISSO Rails gem provides an authorize_api_user! controller filter that can be set in API controllers to automatically handle token-authorized requests, validate them against GUISSO, and set the current_user variable accordingly.

Grant types

OAuth2 specifies multiple grant types. Currently only authorisation code and client credentials are implemented in GUISSO, while resource owner password credentials and implicit are not yet implemented.

Client credentials

Client credentials provides a way for trusted clients to access resources in resource providers via GUISSO. This is the recommended way for sharing data between InSTEDD applications.

Note that in order to make use of client credentials, the client application must be registered as trusted in GUISSO. GuissoRestClient will automatically manage the token requests if the trusted option is specified. These tokens expire a few minutes after issued, but are automatically renewed by the client.

The client application issues a request to the oauth2/authorize endpoint using its client ID and secret (stored in config/guisso.yml as genereated by GUISSO) and requesting access to an application (identified by its host) for a specific user (identified by email). GUISSO returns a MAC authorisation token that can be used for all requests to the API of the resource provider.

The resource provider will validate the authenticity of the token against the oauth2/trusted_token endpoint, and obtain the user information to impersonate in return.

Authorisation Code

Authorisation code is the standard authorisation method for OAauth2. In this scenario, the user must explicitly approve the client application for accessing his/her information in the resource provider via a browser-based interaction. After the approval, the token is issued, and the token verification flow proceeds as usual.

Note that the authorization code expires after 15 minutes of being issued, and the refresh token flow is still not implemented in GUISSO or its clients.

Token types

GUISSO supports two kind of tokens. Bearer tokens are plain tokens that can be used by any client to perform a request on behalf of a user, can be included as a header or part of the query string, and can be individually revokable. These tokens can be generated by a resource provider by issuing a request to GUISSO and then passed on to the clients.

MAC tokens are more secure tokens which contain a token and a secret, and all requests to the resource provider include both the token and a signature using the secret. These tokens require a more complex client (GuissoRestClient easily supports them), but are far more secure than bearer tokens.

Basic auth validation

GUISSO also provides an endpoint for validating a user's email and password. This is used by the GUISSO Rails gem when a request relies on basic auth for authentication, since the user's credentials are not stored locally by the resource provider but are present in GUISSO. This authentication method is strongly discouraged, and bearer tokens should be used if there is a need for a simple auth mechanism.

Development

For local development of InSTEDD GUISSO-powered applications, either the GUISSO staging server can be used, or a local instance. Note that since host and port is required to be unique, it is recommended to set a unique alias for localhost in /etc/hosts when registering them in staging, such as:

127.0.0.1	jdoe.mbuilder.instedd.org
127.0.0.1	jdoe.hub.instedd.org

This practice is also recommended when running GUISSO locally.

Docker development

docker-compose.yml file build a development environment mounting the current folder and running rails in development environment.

Run the following commands to have a stable development environment.

$ docker-compose run --rm --no-deps web bundle install
$ docker-compose run --rm web bash
root@web_1 $ rake db:setup db:seed
$ docker-compose up

Intercom

GUISSO supports Intercom as its CRM platform. To load the Intercom chat widget, simply start GUISSO with the env variable INTERCOM_APP_ID set to your Intercom app id (https://www.intercom.com/help/faqs-and-troubleshooting/getting-set-up/where-can-i-find-my-workspace-id-app-id). GUISSO will forward any conversation with a logged user identifying them through their email address. Anonymous, unlogged users will also be able to communicate. If you don't want to use Intercom, you can simply omit INTERCOM_APP_ID or set it to ''. To test the feature in development, add the INTERCOM_APP_ID variable and its value to the environment object inside the web service in docker-compose.yml.

Contributing

  1. Fork it ( https://github.com/[my-github-username]/guisso/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request

guisso's People

Contributors

asterite avatar carohadad avatar ggiraldez avatar juanboca avatar lmatayoshi avatar macoca avatar matiasgarciaisaia avatar pmallol avatar spalladino avatar waj avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

hengsokly

guisso's Issues

After trying to logging into Instedd Apps in STG an internal server error is thrown

It happens using the user email: '[email protected]'

I could logged into Instedd Apps using others accounts.

Log:
I, [2014-12-10T23:28:19.569737 #2049] INFO -- : Started POST "/users/sign_in" for 190.245.238.116 at 2014-12-10 23:28:19 +0000
I, [2014-12-10T23:28:19.571921 #2049] INFO -- : Processing by SessionsController#create as HTML
I, [2014-12-10T23:28:19.572096 #2049] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"OjSW3j4TS+1L9btmw4EsjA6SttJlS69Gk1OIK3UqW/M=", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Log in"}
I, [2014-12-10T23:28:19.758879 #2049] INFO -- : Completed 500 Internal Server Error in 186ms
F, [2014-12-10T23:28:19.774715 #2049] FATAL -- :
NoMethodError (undefined method decorate' for #<ExtraPassword::Strategy:0xb8da2c4>): app/models/extra_password.rb:23:invalidate'
app/models/extra_password.rb:7:in `authenticate!'

Yahoo email is removing links from "confirmation email"

Let's add the URL in plaintext as an alternative, like this:

Welcome [email adress]!

You can confirm your account email through the link below:
Confirm my account

or copy/paste the following URL in your browser:
http://login.instedd.org/users/confirmation?confirmation_token=jy67TrG_BJVwCard-4y4

When pressing the Login button twice an error is thrown

Found in version:

  • 1.6.0 (build 140)

Steps to reproduce:

  1. Navigate to the login form.
  2. Enter email and password.
  3. Press the login button twice.

Obtained:

  • Failed to load resource: the server responded with a status of 422 (Unprocessable Entity)

New accounts are auto-confirmed.

Found in version: 1.1-pre1

Reproduce steps:
Navigate to welcome page of an Instedd tool (resmap-stg, remindem-stg, etc.)
Press 'Create account'
The app redirects to http://login-stg.instedd.org/users/sign_up
There fill the fields
Press 'Sign up'

Obtained:
Guisso redirects to the home page of the Instedd tool and the user is already logged in.
The user doesn't receive a confirmation email.

Expected:
Users should receive a confirmation email.
They have to confirm the account before accessing the Instedd tools.

No mode value in message # after logging in

After logging in using Google OpenID with a newly confirmed account, guisso displays a text only page with the content No mode value in message #. User is logged in after the operation, though.

Redirect doesn't work when using "sign up with Google"

To reproduce:

  1. Try to use OAuth to authorize an app to use Nuntium.
  2. Choose to sign in with Google.

Expected: Guisso authenticates you and redirects you according to the redirect_uri param.
Actual: It logs you into Guisso and shows Guisso's authorizations page.

Add CAPTCHA to sign up by email

The Sign up via email feature allows malicious users to abuse the form in order to spam users with registration emails.

This impacts negatively on the senders' reputation (due to bounces generated by non-existing receiver addresses, or due to their complaints), risking our emails to be marked as spam by filters, or the account being penalized by our email provider.

To prevent automated sign ups, we should implement a CAPTCHA in the sign up form.

We should also check if the Forgot password feature can be abused this way - and fix it if needed.

Text for the home

H1 -> "Access all InSTEDD Platform apps using the same account"
H2 -> "InSTEDD apps integrate better if you use the same account for all of them"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.