Consider Login-requirement / authentication to protect TraderX Demo Environment #131
Comments
|
Recommend: Non-default option while doing development, but when deployed as an environment, ingress controller should enforce access control. (any major social+github SSO should be accepted) and logging usage. Concerns: This stops being 'quick and easy' with a 'paywall-style' login. |
|
I think that Github SSO would be the best option, in terms of accessibility from FINOS members and community at large. I share the concern around the paywall-style limitation, though we could only limit input submission (ie I suppose that this change would only affect the frontend (specifically angular) component, which is where I lack of expertise; would be great to find someone with Angular experience who could contribute this feature. |
maoo
added
enhancement
I have Angular experience so I would be happy to take a look at this issue. Github SSO should be fairly easy to implement in Angular. |
|
Thanks for volunteering @leandroyabut ! I've assigned the issue to you; happy to test and review, when the PR is avaiable. |
|
No problem, @maoo ! However, I do need some assistance with setting up our GitHub authentication flow. We need to set up OAuth2.0 using an initial GitHub account. I assume we should use this project's primary GitHub account to set it up. https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app Afterwards, we need to securely store the client ID and the client secret. I'm wondering if this part needs to be its own issue. What do you think? |
|
Hi @leandroyabut ! I created the Oauth App as follows, let me know if you want me to change the callback URL. 
Then I've set In the meantime, I could send them to you via (FINOS) Slack; ping me on help@finos.org and I'll invite you. Thank you! |
|
Hi everyone, as far as the flow, will we just redirect unauthenticated users to a login page (e.g. |
|
@leandroyabut - I'd say so. @DovOps wdyt? |
|
@maoo Can you make another application with the callback URL and homepage URL as our localhost addresses. http://localhost:18093 |
Here it comes! 😄 
Sending now id and secret via Slack. Let me know if something is missing. TY! |
|
After some testing with this, it seems that Github doesn't allow us to make a POST Request to their access_token endpoint due to CORS. The solution is to create some sort of endpoint on our back end to make this request for us that our front-end can use to both send the auth code received from Github and then receive the access token from that same endpoint as a response. Attempted flow:
Proposed flow:
We need someone to implement this endpoint in a separate auth microservice. What do you guys think? |
|
Hi @leandroyabut - we already stumbled into CORS issues, which led us to add an |
|
Did this issue already get completed? |
Feature Request
Description of Problem:
Do we want the traderx demo to be 100% open? This may cause bad actors to exploit the unauthenticated tool to inject offensive content, or other things, rather than just demonstrate the functionality.
Potential Considerations:
Does this create a barrier to exploration, or would people be hesitant?
Is this difficult to implement?
Do we want to do this?
The text was updated successfully, but these errors were encountered: