Social auth for Tumbo Console and Applications

[philipsahli]

By now, Tumbo only support username/password authentication into the console. For later usage in a Saas-offer Tumbo should also support Social auth by using https://github.com/omab/python-social-auth.

But more important is Social auth authentication for Tumbo Applications.

• By now only Tumbo users can be authenticated for the apps and the user has a session on the root path (thus is authenticated for all apps running on this Tumbo platform). Users should be able to get a session only for one particular app (PATH). Because the user might set a reverse proxy in front of it, the path should be configurable.

Because auth on app level is not suported by now, on https://httptest.sahli.net/ (see repo https://github.com/sahlinet/httptest uses generated ressource ids awhich are linked to email addresses.

• By now the workers receive the username of the authenticated user in the request information. The identity should be propagated to the worker with a JWT. http://blog.apcelent.com/django-json-web-token-authentication-backend.html is a good starting point for the JWT stuff (how to create token, how to read token).

The architecture and process might look like:

AUTH FRONTEND

The frontend and api (drf) must have been enabled social auth login.

• frontend https://github.com/omab/django-social-auth
• api (drf) https://github.com/PhilipGarnero/django-rest-framework-social-oauth2

AUTH BACKEND (worker)

• ExecutionViewSet class muss add (or create?) a JWT token for request.user and sign with a per worker executor secret
• send request to worker with JWT token (contains username, custom_id for data in datastore
• worker receives JWT token, verifies with secret which it received on startup
• if it is signed by our secret on server -> we got now the identity: userame and custom_id for lookup data in datastore

[philipsahli]

Apps should be able to integrate this feature in their app simple and easy.

• We should create a widget to provide login form for apps (see Create a snipped to provide login/logout links for apps #2).
• Datastore Plugin should provide a method store_for_user and get_for_user (see Datastore Plugin should provide a method store_for_user and get_for_user #3 ).

[philipsahli]

Lot of work done in PR #4

[philipsahli]

Added frontend_host to be able to use with a proxied project. 98b3c61

[philipsahli]

Detailled doc is missing.