[WIP] JWT Auth integration#460
Conversation
- configuration for JWT, with key masking js. - all publications urls would get the jwt as query param - studio and editor would get the JWT with a form submission. - OpencastAPI class now contains all required methods for attaching JWT to the url and so on.
ferishili
added
enhancement
github-project-automation
Bot
moved this to Backlog
in Opencast & Opencast PageComponent
|
In meeting: Community-Opencast is configured with JWT. Ansible scripts available for configuration of Opencast installation available. ReviewApp: http://oc-pr-460.opencast.k8s.sr.solutions/ |
|
In Sitzung: Hauptsächlich zu testen sind Thumbnails-Anzeige, Videos-Aufruf, Captions, Segments-Thumbnails und Sanity-Test. Testing dieses PRs hat Prio gegenüber 10er-Version testing (durch @dagraf). |
|
FYI: The iframe integration is available. A few important notes:
|
|
All tests were successful (with JWT enabled and disabled). Therefore and @chfsx: Can you please review this PR and merge it, if everything is fine or comment here if you see any issues? Thank you! As soon as this PR passes the review state and it is ready for merging, @ferishili will write a documentation for "How to configure Opencast for JWT". |
chfsx
left a comment
chfsx
left a comment
There was a problem hiding this comment.
@ferishili many thanks for the implementation!è the PR is quite huge, I have not yet finished the whole review... but I send you my first findings so you can already begin to tackle them, ok?
| $tpl->setVariable("JS_CONFIG", json_encode($this->buildJSConfig($event))); | ||
| } | ||
|
|
||
| if (empty($tpl)) { |
There was a problem hiding this comment.
due to the if/else, $tpl cannot be empty right?
There was a problem hiding this comment.
Do you mean, we should get rid of if(empty($tpl)) block?
| */ | ||
| public function refreshJwtAsync(): void | ||
| { | ||
| $event_id = $this->http->request()->getQueryParams()[xoctEventGUI::IDENTIFIER] ?? null; |
There was a problem hiding this comment.
I think there should be a check of permissions: is the current user allowed to get a new token? FMPOV someone could create tokens for every event if they want to
There was a problem hiding this comment.
I took care of it and added the code to check the read permission. However, based on my permission tests, unauthorized access will be denied long before reaching this method by the top-level classes.
| header('Location: ' . $event->publications()->getPlayerLink()); | ||
| $this->closeResponse(); | ||
| } | ||
|
|
There was a problem hiding this comment.
we need a $jwt_iframe_capable = false; here for the catch case. OR (or maybe AND) in $line 85 should be a $this->closeConnection();
There was a problem hiding this comment.
I am not sure if I understood you correctly!
but:
-
The
header('Location: ' . $event->publications()->getPlayerLink());would take care of it, since it redirects so the process is exited at this point! -
I am not able to find any
closeConnectionfromtrait OutputResponse! Maybe a typo?
|
Just as a small note: there will be an additional JWT authentication mechanism for Annotation, similar to the one used by Studio and the Editor, which I plan to add later. |
as it is minimum supported php version
|
@chfsx The changes regarding annotation-tool JWT compatibility are there, please continue with your review! |
|
Thanks a lot @ferishili for your work! This is now ready to merge FMPOV, let's discuss this in the meeting this afternoon |
|
In meeting: We decided to merge it in the upcoming release. |
3 participants
This PR fixes #459,
NOTE: It is still work in progress!
In order to test this PR, the JWT Auth should be also activated in your Opencast: https://docs.opencast.org/r/18.x/admin/#configuration/security.jwt/#spring-security-configuration
For our Opencast community instance : It is deactivated, since there are active tests in other ReviewApps, so in order to test this, we have inform others, since activating the JWT in Opencastwould result in 403 Error for others!