[auth] make sure only the download token is shown when login via AAI …

…as FEGA user
neicnordic · Feb 18, 2025 · 4c0e06c · 4c0e06c
1 parent 2463c4f
commit 4c0e06c
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 7 deletions.
diff --git a/.github/integration/sda-s3-integration.yml b/.github/integration/sda-s3-integration.yml
@@ -282,6 +282,9 @@ services:
       - AUTH_RESIGNJWT=true
       - AUTH_CEGA_ID=test
       - AUTH_CEGA_SECRET=test
+      - OIDC_REDIRECTURL=http://localhost:8888/oidc/login
+      - OIDC_ID=XC56EL11zz
+      - OIDC_SECRET=wHPVQaYXmdDHa
       - DB_PASSWORD=auth
       - DB_USER=auth
     extra_hosts:

diff --git a/.github/integration/sda/aai-mock/clients/aai-auth.yaml b/.github/integration/sda/aai-mock/clients/aai-auth.yaml
@@ -1,4 +1,4 @@
-client-name: "auth"
+client-name: "aai-auth"
 client-id: "XC56EL11xx"
 client-secret: "wHPVQaYXmdDHg"
 redirect-uris: ["http://localhost:8801/oidc/login"]

diff --git a/.github/integration/sda/aai-mock/clients/cega-auth.yaml b/.github/integration/sda/aai-mock/clients/cega-auth.yaml
@@ -0,0 +1,8 @@
+client-name: "cega-auth"
+client-id: "XC56EL11zz"
+client-secret: "wHPVQaYXmdDHa"
+redirect-uris: ["http://localhost:8888/oidc/login"]
+token-endpoint-auth-method: "client_secret_basic"
+scope: ["openid", "profile", "email", "ga4gh_passport_v1", "eduperson_entitlement"]
+grant-types: ["authorization_code"]
+post-logout-redirect-uris: ["http://localhost:8888/oidc/login"]
diff --git a/sda/cmd/auth/frontend/templates/oidc.html b/sda/cmd/auth/frontend/templates/oidc.html
@@ -30,13 +30,15 @@
             <p class="lead text-center">
               Welcome, {{.Fullname}}!
             </p>
-            {{if .ResignedToken}}
-            <p class="text-center">
-              For <strong>uploading</strong> to the Inbox, your access token {{if .ExpDateResigned}}(expires at {{.ExpDateResigned}} UTC){{end}} is:
-            </p>
-            <pre class="border border-secondary rounded py-2 px-3 my-4" id="logintext">{{.ResignedToken}}</pre>
+            {{if (not .cegaID)}}
+              {{if .ResignedToken}}
+              <p class="text-center">
+                For <strong>uploading</strong> to the Inbox, your access token {{if .ExpDateResigned}}(expires at {{.ExpDateResigned}} UTC){{end}} is:
+              </p>
+              <pre class="border border-secondary rounded py-2 px-3 my-4" id="logintext">{{.ResignedToken}}</pre>
+              {{end}}
+              <a href="/oidc/s3conf-inbox" class="btn btn-primary btn-block mb-5">Download credentials to upload to the Inbox</a>
             {{end}}
-            <a href="/oidc/s3conf-inbox" class="btn btn-primary btn-block mb-5">Download credentials to upload to the Inbox</a>
             {{if .RawToken}}
             <p class="text-center">
               For <strong>downloading</strong> from the Archive, your access token {{if .ExpDateRaw}}(expires at {{.ExpDateRaw}} UTC){{end}} is:

diff --git a/sda/cmd/auth/main.go b/sda/cmd/auth/main.go
@@ -308,6 +308,7 @@ func (auth AuthHandler) getOIDCLogin(ctx iris.Context) {
 	s := sessions.Get(ctx)
 	s.SetFlash("oidcInbox", oidcData.S3ConfInbox)
 	s.SetFlash("oidcDownload", oidcData.S3ConfDownload)
+	ctx.ViewData("cegaID", auth.Config.Cega.ID)
 	ctx.ViewData("infoUrl", auth.Config.InfoURL)
 	ctx.ViewData("infoText", auth.Config.InfoText)
 	ctx.ViewData("User", oidcData.OIDCID.User)