A library to add user authentication though Auctionet Admin SSO to phoenix apps.
See it in action in the example app on heroku.
Update this readme if anything is unclear.
Add this to deps:
{:auctionet_single_sign_on_plug, ">= 0.0.0", git: github_url("barsoom/auctionet_single_sign_on_plug")},
And below add this (will be needed later):
defp github_url(path) do
if System.get_env("MIX_ENV") == "prod" do
"https://github.com/#{path}.git"
else
"[email protected]:#{path}"
end
endRun mix deps.get
Remember to change "your_app_name".
config :your_app_name,
sso_secret_key: "dev secretdev secretdev secretdev secretdev secretdev secretdev secretdev secretdev secretdev secret",
sso_request_url: "http://auctionet.dev/admin/login/request_sso?app=your_app_name",
sso_logout_url: "http://auctionet.dev/admin/logout/sso" pipeline :require_valid_sso_login do
plug AuctionetSingleSignOnPlug,
sso_secret_key: Application.get_env(:your_app_name, :sso_secret_key),
sso_request_url: Application.get_env(:your_app_name, :sso_request_url)
end
scope "/", MyAppName do
# pipe_through :browser # <- replace this
pipe_through [:browser, :require_valid_sso_login] # <- with this!
# ...
endIf you want some paths not to require SSO, create a different scope for those.
Ensure you have created a SingleSignOnApplication record in auctionet dev that matches this app. The sso_login_url should be something like http://192.168.50.1:4000/ (does not need to be "/" but needs to be a path that is controlled by this plug).
Start foreman start -f Procfile.sso and dev web in /projects/auctionet.
Visit the app in development and see if it authenticates with auctionet.dev.
If it works you will be returned to the path you requested on your app. This means you're authenticated. Check conn.assigns[:sso] for user data!
Logging out from http://auctionet.dev/admin should log you out from the app (a background job in auctionet makes a call to the app in the background). Going to the app and logging in again should return you to the app with conn.assigns[:sso] set.
Since this is a private project it's more complex to access. Circle has a way to give access, but as far as I can see that gives access to all your private repos. So better to use that feature on the auctionet-ci user.
- Give the auctionet-ci-team admin access to the app repo and read access to this repo.
- Log into github as auctionet-ci (in another browser), go to circle, log in there, go to project settings, checkout ssh keys, authorize and add a key for auctionet-ci.
- Then change from admin to read access again.
- Don't trigger the build yet.
- Set heroku config for
GITHUB_AUTH_TOKEN(auctionet_push has the right one) and add the netrc buildpack like thisheroku buildpacks:add -i 1 https://github.com/timshadel/heroku-buildpack-github-netrc.git(needed to install this plug from a private repo). - Set heroku configs for
SSO_SECRET_KEY(pwgen -n 255),SSO_REQUEST_URL, andSSO_LOGOUT_URL(see auctionet_push config). - In elixir_buildpack.config, add "SSO_SECRET_KEY SSO_REQUEST_URL" to config_vars_to_export, so that it at least has
config_vars_to_export=(SSO_SECRET_KEY SSO_REQUEST_URL).
config :your_app_name,
sso_secret_key: System.get_env("SSO_SECRET_KEY"),
sso_request_url: System.get_env("SSO_REQUEST_URL"),
sso_logout_url: System.get_env("SSO_LOGOUT_URL")Create a SingleSignOnApplication record in auctionet. Leave entitlements an empty array if only supers will use it.
Log in and out of auctionet admin and check that the SSO works.
Link to the app from Auctionet Admin.
Add the SSO header like in the example app so the user know that the login is part of Auctionet Admin, etc.
Done!
mix deps.get
mix test
make test
If something doesn't work, check how it's done in phoenix_sso_example.
The example app also persists it's sessions as User records in a postgres database. That way sessions remain across app restarts and you can use the User records for other things.