Describe the feature you'd like and what it will do
To simplify and standardize HydroServer user authentication with apps, we should integrate Django AllAuth's OpenID Connect provider extension and decouple user sign up and login workflows from the data management app. This would cleanly separate user/account management from HydroServer data management in a way that can be replicated for other apps such as the QC app. HydroServer apps would be able to focus solely on their specific data management functionality without needing to worry about user authentication workflows or state.
This would be a multi-step process that involves several changes to HydroServer's available authentication workflows, GUI, and app organization.
Discuss and choose one:
Option 1 is closest to what we're doing now, but it's far more work to maintain in the long run because we need to maintain all the frontend routing logic for authentication, but it gives us a bit more flexibility in the UX of the authentication workflow.
Option 2 is more work up front, but almost all authentication business logic, including routing, is handled internally by Django AllAuth, so it's much less to maintain. We would need to style AllAuth's prebuilt templates and it may feel a bit less "modern" because we'll be using Django's frontend framework instead of Vue. See HydroShare's user login workflow to get an idea for what this would look like.
Note: BearerAuth is currently used by hydroserverpy, but would conflict with OIDCAuth. We would need to either update hydroserverpy to use OIDCAuth, or we would need to re-enable BasicAuth if we still want to allow users to just enter their username and password when authenticating through hydroserverpy. APIKey authentication will still work the same as well.
Why is this feature important?
HydroServer apps, particularly third-party apps, are currently limited in how they can securely authenticate with HydroServer. For web apps, current authentication methods require all apps to be hosted from the same domain as HydroServer. Current authentication methods also require apps to handle more complicated routing logic to deal with various user sign up and authentication states.
AllAuth's IDP extension greatly simplifies the app registration and authentication process. Authentication would be handled solely by the AllAuth package. All HydroServer apps would direct users to HydroServer's authentication pages, which would to handle sign up, login, and account management. Apps would only need to manage an access token and refresh token for authenticated users.
Is your feature request related to a problem? Please describe.
No response
Any additional comments?
No response
Describe the feature you'd like and what it will do
To simplify and standardize HydroServer user authentication with apps, we should integrate Django AllAuth's OpenID Connect provider extension and decouple user sign up and login workflows from the data management app. This would cleanly separate user/account management from HydroServer data management in a way that can be replicated for other apps such as the QC app. HydroServer apps would be able to focus solely on their specific data management functionality without needing to worry about user authentication workflows or state.
This would be a multi-step process that involves several changes to HydroServer's available authentication workflows, GUI, and app organization.
Discuss and choose one:
Option 1 is closest to what we're doing now, but it's far more work to maintain in the long run because we need to maintain all the frontend routing logic for authentication, but it gives us a bit more flexibility in the UX of the authentication workflow.
Option 2 is more work up front, but almost all authentication business logic, including routing, is handled internally by Django AllAuth, so it's much less to maintain. We would need to style AllAuth's prebuilt templates and it may feel a bit less "modern" because we'll be using Django's frontend framework instead of Vue. See HydroShare's user login workflow to get an idea for what this would look like.
Note: BearerAuth is currently used by hydroserverpy, but would conflict with OIDCAuth. We would need to either update hydroserverpy to use OIDCAuth, or we would need to re-enable BasicAuth if we still want to allow users to just enter their username and password when authenticating through hydroserverpy. APIKey authentication will still work the same as well.
Why is this feature important?
HydroServer apps, particularly third-party apps, are currently limited in how they can securely authenticate with HydroServer. For web apps, current authentication methods require all apps to be hosted from the same domain as HydroServer. Current authentication methods also require apps to handle more complicated routing logic to deal with various user sign up and authentication states.
AllAuth's IDP extension greatly simplifies the app registration and authentication process. Authentication would be handled solely by the AllAuth package. All HydroServer apps would direct users to HydroServer's authentication pages, which would to handle sign up, login, and account management. Apps would only need to manage an access token and refresh token for authenticated users.
Is your feature request related to a problem? Please describe.
No response
Any additional comments?
No response