[ICAT-SSO] - Initial work an adapting AbstractLims and integration with SSO

Author: marcus-oscarsson

demo/mxcube-web/server.yaml

@@ -1,24 +1,35 @@
 ---
 
 server:
-  SECRET_KEY: "ASECRETKEY"
-  SECURITY_PASSWORD_SALT: "ASALT"
+  SECRET_KEY: ASECRETKEY
+  SECURITY_PASSWORD_SALT: ASALT
   PERMANENT_SESSION_LIFETIME: 60
+  CERT: NONE
 
   DEBUG: false
 
   ALLOWED_CORS_ORIGINS:
-    - "http://localhost:8081"
-    - "http://127.0.0.1:8081"
-    - "http://localhost:5173"
-    - "http://127.0.0.1:5173"
-    - "ws://localhost:8000"
-    - "ws://127.0.0.1:8000"
+    - http://localhost:8081
+    - http://127.0.0.1:8081
+    - http://localhost:5173
+    - http://127.0.0.1:5173
+    - ws://localhost:8000
+    - ws://127.0.0.1:8000
+
+sso:
+  USE_SSO: false
+  ISSUER: https://websso.[site].[com]/realms/[site]/
+  LOGOUT_URI: ""
+  TOKEN_INFO_URI: ""
+  CLIENT_SECRET: ASECRETKEY
+  CLIENT_ID: mxcube
+  SCOPE: openid email profile
+  CODE_CHALLANGE_METHOD: S256
 
 mxcube:
   USE_EXTERNAL_STREAMER: true
   VIDEO_FORMAT: MPEG1
-  VIDEO_STREAM_URL: "ws://localhost:8000/ws"
+  VIDEO_STREAM_URL: ws://localhost:8000/ws
 
   # At which port to stream from
   VIDEO_STREAM_PORT: 8000

docs/source/dev/login.md

@@ -0,0 +1,47 @@
+# Login
+
+## Authentication and authorization
+
+The authentication and authorization of a user have traditionally been performed in one step via the `ISPYBClient` hardware object. The authentication step has either been done through LDAP or delegated to ISPyB. `ISPYBClient` has been replaced by `ISPyBAbstractLIMS` and exists in two variants, one for user-based login (`UserTypeISPyBLims`) and another one for proposal (`ProposalTypeISPyBLims`) both of which support authentication via LDAP or ISPyB. The possibility to authenticate via LIMS will be removed in the future, and authentication has to be delegated to a process dedicated to authentication. The authorization for a user to use a beamline is performed via the user portal or LIMS system.
+
+### Authentication with single sign on
+
+MXCUBE can be configured to use Single sign-on (SSO) through OpenIDConnect for user authentication. The OpenIDConnect configuration is located in the `server.yaml` file, which should contain an `sso` section like the one below.
+
+```
+sso:
+  USE_SSO: false                                              # True to use SSO false otherwise
+  ISSUER: https://websso.[site].[com]/realms/[site]/          # OpenIDConnect issuer URI
+  LOGOUT_URI: ""                                              # OpenIDConnect logout URI
+  TOKEN_INFO_URI: ""                                          # OpenIDConnect token info URI
+  CLIENT_SECRET: ASECRETKEY                                   # OpenIDConnect client secret
+  CLIENT_ID: mxcube                                           # OpenIDConnect client ID
+  SCOPE: openid email profile                                 # OpenIDConnect defualt scopes, none scope is actually beeing used
+  CODE_CHALLANGE_METHOD: S256                                 # OpenIDConnect challange method
+```
+
+User authorization is delegated to the LIMS client inheriting `AbstractLims` and is performed in the `login` method.
+
+## HTTP Session management
+
+MXCuBE web sessions are meant to expire when there is no activity
+
+For this purpose:
+
+- Flask configuration setting `PERMANENT_SESSION_LIFETIME` is set
+  to the preferred value (seconds).
+
+- Flask configuration setting `SESSION_REFRESH_EACH_REQUEST` is set,
+  which is the default anyway.
+
+- Flask session setting `session.permanent` is set
+  right after successful authentication.
+
+- The front-end calls the `/mxcube/api/v0.1/login/refresh_session` endpoint
+  regularly (hardcoded value: 9000 milliseconds)
+  for as long as the browser tab is open.
+
+Every time the _refresh_ endpoint is called,
+the browser session cookie is refreshed,
+meaning its expiration timestamp is pushed back in the future
+for as much as the value stored in `PERMANENT_SESSION_LIFETIME`.

docs/source/dev/login.rst

@@ -12,6 +12,7 @@
     AppConfigModel,
     FlaskConfigModel,
     MXCUBEAppConfigModel,
+    SSOConfigModel,
     UIPropertiesListModel,
 )
 
@@ -36,6 +37,7 @@ class Config:
 
     flask: FlaskConfigModel
     app: MXCUBEAppConfigModel
+    sso: SSOConfigModel
 
     def __init__(self, fpath):
         Config.CONFIG_ROOT_PATH = fpath
@@ -45,6 +47,7 @@ def __init__(self, fpath):
         self.flask = app_config.server
         self.app = app_config.mxcube
         self.app.ui_properties = uiprop
+        self.sso = app_config.sso
 
     def load_config(self, component_name, schema):
         fpath = os.path.join(Config.CONFIG_ROOT_PATH, f"{component_name}.yaml")

mxcubeweb/config.py

@@ -160,7 +160,7 @@ def send_data_collection_info_to_crims(self) -> bool:
         crystal_uuid = ""
 
         try:
-            rest_token = HWR.beamline.lims.lims_rest.get_rest_token()
+            rest_token = HWR.beamline.lims.get_rest_token()
             proposal = HWR.beamline.session.get_proposal()
 
             crims_url = self.harvester_device.crims_upload_url