Checkbox that tells cilogon to redirect users to their preferred IdP automatically does not work.
keepidp cookie should get set and does not

TEST
logon to cilogon directly, watch cookie get set correctly in .cilogon.org realm
logon to portal.mghpcc.org cookie does not get set

Suspect dropping POST content in some redirect or multiple posts where set in first but lost in subsequent (i.e. gets set on first pass then unset on second).

Hi Jim,

We've had our first PI request from Yale University and would like them enabled for NERC access.

You provided guidance (screenshot on attributes) on ticket 40 which I can pass on to Yale as well. Will add the info to this ticket when we receive it.

Thanks!

Wayne

This direct server to 500 error with following debug trace:

KjG5-JxR8af3yBtHD72aFCqKEzEN79uggorYlyQ'}
2022-08-04 12:12:58,014 django.request       ERROR     Internal Server Error: /registration/
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/asgiref/sync.py", line 472, in thread_handler
    raise exc_info[1]
  File "/usr/local/lib/python3.9/site-packages/django/core/handlers/exception.py", line 38, in inner
    response = await get_response(request)
  File "/usr/local/lib/python3.9/site-packages/django/core/handlers/base.py", line 233, in _get_response_async
    response = await wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.9/site-packages/asgiref/sync.py", line 435, in __call__
    ret = await asyncio.wait_for(future, timeout=None)
  File "/usr/local/lib/python3.9/asyncio/tasks.py", line 442, in wait_for
    return await fut
  File "/usr/local/lib/python3.9/site-packages/asgiref/current_thread_executor.py", line 22, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.9/site-packages/asgiref/sync.py", line 476, in thread_handler
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/code/regapp/apps/regapp/views/registration.py", line 89, in registration
    existing_mss_account_info = mss_userinfo_result[0]
KeyError: 0

This should be handled with using this function: https://github.com/nerc-project/regapp/blob/main/apps/regapp/views/registration.py#L101-L108

• This is creating conflict during batch users upload.
• We can set username default to what OIDC meta data fetch for email address.

The command currently fails if users are missing email (will also fail if first, last, username or accepted version are somehow missing).
Defensive code needed here.

Management command should ignore disabled users

Create account or update and set research domain to "physical sciences"
Go back to manage account and domain is set to "other"

Logout is broken because the newest version of keycloak deprecates the redirect_uri parameter.
Need to implement the fancier new oidc spec compliant redirection.

Default value for fields in AccountAction model combined with unique constraint means that violations occur if more than one AccountAction is ever in-flight.

We are currently collaborating with researchers from BU, Red Hat, and the University of Toronto. Since the feature described in #38 is not yet active, could we enable the University of Toronto.

This will verify that kustomize build succeeds before accepting pull requests.

After accepting the EULA and revisiting the https://regapp.mss.mghpcc.org/profile/ page, the checkbox appears unchecked. Acceptance status is not being passed correctly to rendering template.

Requires implementing allowlist to support domain filtering on non-institutional (e.g. Microsoft, GitHub) logons.

• when logging in the dropdown list will grow very large
  • cookies will auto-select the last dropdown item used
• Extra users filling up our db
  • this we do not need to solve yet but eventually we will need to make sure we are cleaning out users based on never logged in or not logged in in a specific time frame
  • we will want to update our rules for culling users yearly
• We want to filter who can access Google and Microsoft dropdown because some institutions have both and we want them to be forced to use whichever the IdP is setup with
  • This will be resolved in a different issue (to be linked once it is created)

This is blocked by getting the Allow-list setup for Google & Microsoft CILogon users.

This was addressed by running markdown conversion locally.
Fix was done to allow maintenance window to close.
Need to add exception handling and logging

IIIRC, this normally runs by default (autovacuum option in postgres).
Check to make sure that autovacuum is enabled and does what we expect.
Otherwise setup cron to run a container to periodically vacuum (used to be a crunchy container that did this but that does not seem to be a thing anymore).

Motivation

We are currently collaborating with researchers from Yale University. Since the feature described in #38 is not yet active, could we enable Yale University?

Completion Criteria

Yale University users are able to log in.

Description

• @Milstein Please have a user from Yale visit https://cilogon.org/ and login (presumably using the IdP which they intend to use for NERC). Have them open the accordions labeled "User Attributes" and "Identity Provider Attributes" and take a screenshot of the information presented there and send that along to us.
• @culbert add the info from there to our allowed list.

Completion dates

Desired - 2023-12-08
Required - TBD

The HTTP_REAL_IP header is not available in openshift (likely a difference between microk8s and openshift ingress implementation). We have substituted the FORWARDED_FOR header and anticipated seeing the list of intervening RPs (shown when you just dump request.META). When we fetch with get, we only get the first one. This happens to be the one we want but it's not clear a) why this happens and b) whether it will always work (i.e. will it always pick first and will first always be the one we want).

Need to investigate this behavior in openshift/django context and make sure that we always get the correct behavior (i.e. we record the users originating IP in some form, either alone or in a list containing the full proxy chain)

Motivation

We are currently collaborating with researchers from Dartmouth University. Since the feature described in #38 is not yet active, could we enable Dartmouth University?

Completion Criteria

Yale University users are able to log in.

Description

• @Milstein get screenshot
• @culbert add Dartmouth

Completion dates

Desired - 2023-12-08
Required - TBD

• Emails will be in this domain: <user>@researchspace.com
• Email IdP is based on Microsoft 365
• The user and IdP attributes from cilogon.org are as shown below: