Add support for EOSC IdPs out of the box #348
Conversation
- Based on the original check made in the ShibToken. - https://github.com/GOCDB/gocdb/blob/5.8.1/lib/Authentication/AuthTokens/ShibAuthToken.php#L174 - it was removed from the ShibToken: - to allow the case where shib authentication fails but another mechanism (X.509, OIDC) succeeds. As such, the check shouldn't be added back to the ShibToken. - because we thought we'd be at the point where we could enforce authentication in apache and not need to in GOCDB. We aren't at that point yet - and we may not want to go there, prefering to enforce authentication in both apache and GOCDB for safety.
- Use "voPersonID" to consume the user's identifier
- The ePUID has been deprecated following the (AAI teams?)
adoption of the AARC-G026 guidelines.
|
Note to Future Greg: some of the 62 codeclimate issues are low hanging fruit and should be fixed before marking as ready for review. |
|
This entitlement used in this will also need to be changed to the new one provided by EOSC AAI. |
- This is needed to determine a default ID string for a user
- MyConfig1.php should be the source of what AuthTokens/Types are valid.
This is now done. |
|
Adding a new IdP feels more cumbersome now we have identity linking (maybe it's always been somewhat cumbersome). The new IdP has to be added in three place.
I think point 2 can be addressed with some refactoring of the AuthTokens, such that one AuthToken class corresponds to one IdP. Though this is probably best attempted once we have dropped shibboleth support and only support OIDC. One AuthToken can then correspond to one authentication realm and the I think point 3 could be solved in a similar way, by referencing I'll copy this into a separate issue. More relevant to this PR, I have removed the |
|
|
Superseded by #430 |
Use "voPersonID" to consume the user's identifier, rather than ePUID - as that has been deprecated following the (AAI teams?) adoption of the AARC-G026 guidelines.
Depends on #346