Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
86f902b002a9debfbb15e0d8a8ceff77f2d4e831
edx-platform/docs/guides/studio_oauth.rst
Tim McCormack 0c164ad4c2 fix: Fix Studio logout by pointing to correct logout view (#28714) 
This changes the "Sign out" link on Studio to point to Studio's own logout
view, which clears the session and then redirects to LMS's logout page. The
LMS logout page then skips loading the Studio logout because it is seen in
the Referer header.

This change also brings Studio better into line with how other IDAs perform
their logouts.

Background:

After the rollout of Studio OAuth, logouts initiated on Studio failed to
actually log out Studio (but all other IDAs were logged out). This was
because the LMS logout view loads the logout pages of other IDAs but skips
any that is a *prefix* match on the Referer header, and browsers now often
send a truncated version of the Referer for privacy. Therefore, Studio was
always skipped when coming from Studio.

The fix is to make sure that Studio has already performed its logout by the
time the LMS logout page is loaded.

One wrinkle here is that the LMS logout view is activated by `/logout`, but
the correct logout view (provided by auth_backends) is activated by
`/logout/` -- with a trailing slash. This is fragile and unfortunate, but
can be cleaned up when we later remove other leftovers of Studio's previous
ability to handle logistration.

ref: ARCHBOM-1897
2021-09-10 18:45:58 +00:00

76 lines
3.2 KiB
ReStructuredText
Raw Blame History

Enabling OAuth for Studio login
===============================
Migration guide for edx.org (and anyone else following master) in converting Studio login to use OAuth.
This is a temporary document for Arch-BOM.
Background
----------
As of Lilac, the Studio by default shares a session cookie with the LMS. This either forces Studio to be on a subdomain of the LMS or the LMS to set its session cookie on a wide domain, which exposes it to a potentially large number of subdomains.
By setting up Studio to use LMS's OAuth2-based single-sign-on (SSO), the cookies (and domains) can be decoupled to improve both flexibility and security.
Migration
---------
Most of the configuration is already in place, and Studio and LMS just need to be configured in each environment to enable the new flow. (Devstack and sandboxes will autoconfigure for OAuth.)
Migration involves simultaneously enabling OAuth and separating the session cookies for LMS and Studio. This effectively causes a logout for Studio users, although they'll still be logged into LMS and aside from a brief disruption during the mixed-config interval they should not experience many problems.
For each deployed environment (stage, production, etc.):
#. Register an SSO OAuth2 client in LMS:
- Add OAuth2 client:
- Go to ``/admin/oauth2_provider/application/add/`` in LMS admin
- Copy the prepopulated client ID and secret to a secure place
- Leave the user field empty
- Set redirect URLs to ``<STUDIO_ROOT_URL>/complete/edx-oauth2/``
- Set client type to ``Confidential``
- Set authorization grant type to ``Authorization code``
- Set the name to ``studio-sso``
- Select the "Skip authorization" checkbox
- Configure the client's scope:
- Go to ``/admin/oauth_dispatch/applicationaccess/add/`` in LMS admin
- Select application ``studio-sso``
- Set scopes to ``user_id``
#. Configure LMS to log out Studio when logging out by adding ``<public Studio root>/logout/`` to the LMS ``IDA_LOGOUT_URI_LIST``.
#. Configure Studio to allow completion of OAuth flow::
SOCIAL_AUTH_EDX_OAUTH2_KEY: <client id>
SOCIAL_AUTH_EDX_OAUTH2_SECRET: <client secret>
SOCIAL_AUTH_EDX_OAUTH2_URL_ROOT: <server-to-server LMS root URL> # possibly same as public LMS root URL
SOCIAL_AUTH_EDX_OAUTH2_PUBLIC_URL_ROOT: <public LMS root URL>
#. Configure Studio to initiative OAuth flow and use a separate session cookie::
LOGIN_URL: /login/ # to activate OAuth functionality
SESSION_COOKIE_DOMAIN: <studio domain> # since no longer using root domain to share with LMS
SESSION_COOKIE_NAME: studio_sessionid
Cleanup
-------
Config and code changes to be performed after all environments are using OAuth flow for Studio.
- Set ``LOGIN_URL`` to ``'/login/'`` in ``cms/envs/common.py``
- Deploy
- Remove ``LOGIN_URL`` overrides from all environments (devstack and others)
- Remove remaining ``ARCH-1253`` detritus (login redirect)
- Remove this doc!
Declining the migration
-----------------------
Untested instructions for continuing to keep the shared sessions:
- Override ``FRONTEND_LOGOUT_URL`` for Studio to be ``<LMS base>/logout``
- Override ``LOGIN_URL`` for Studio to be ``<LMS base>/login``
Reference in New Issue View Git Blame Copy Permalink