yogsototh/deft
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
deft/2021-W05.org
Yann Esposito (Yogsototh) 5fb5d0ce76
inbox.org
2022-05-10 11:15:35 +02:00

230 lines
No EOL
11 KiB
Org Mode
Raw Blame History

* 2021-W05
** 2021-02-01 Monday
:PROPERTIES:
:collapsed: true
:END:
*** IN-PROGRESS enforce whoami db check to sync users. :work:
:LOGBOOK:
CLOCK: [2021-02-01 Mon 17:19]--[2021-02-01 Mon 18:19] => 1:00
:END:
[2021-02-01 Mon 17:19]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*fix iroh-auth doc regarding jwks][fix iroh-auth doc regarding jwks]]
*** DONE fix iroh-auth doc regarding jwks :work:
:LOGBOOK:
CLOCK: [2021-02-01 Mon 10:35]--[2021-02-01 Mon 14:53] => 4:18
:END:
[2021-02-01 Mon 10:35]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/inbox.org::*Améliorer son Anglais (bis) (italki)][Améliorer son Anglais (bis) (italki)]]
** 2021-02-02 Tuesday
*** IN-PROGRESS Testing CSA Migration :work:
:LOGBOOK:
CLOCK: [2021-02-02 Tue 10:42]--[2021-02-03 Wed 10:11] => 23:29
:END:
[2021-02-02 Tue 10:42]
*** DONE morning routine :work:
:LOGBOOK:
CLOCK: [2021-02-02 Tue 09:48]--[2021-02-02 Tue 10:42] => 0:54
:END:
[2021-02-02 Tue 09:48]
** 2021-02-03 Wednesday
:PROPERTIES:
:collapsed: true
:END:
*** IN-PROGRESS CORS headers bug :work:
:LOGBOOK:
CLOCK: [2021-02-03 Wed 14:42]--[2021-02-04 Thu 10:24] => 19:42
:END:
[2021-02-03 Wed 14:42]
- ref ::
*** DONE IdP Migration Testing :work:
:LOGBOOK:
CLOCK: [2021-02-03 Wed 10:11]--[2021-02-03 Wed 10:11] => 0:00
:END:
[2021-02-03 Wed 10:11]
Note quite complex workflow but worked as expected.
Had the "You are in the middle of an Invitation" prompt.
** 2021-02-04 Thursday
:PROPERTIES:
:collapsed: true
:END:
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp t :link t :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-02-04 Thu 19:00]
| Timestamp | Tags | Headline | Time | | | |
|------------------------+---------------+------------------------------------------+--------+---+------+------|
| | | *Total time* | *9:46* | | | |
|------------------------+---------------+------------------------------------------+--------+---+------+------|
| | | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-02-04 Thursday][2021-02-04 Thursday]] | | | 9:46 | |
| [2021-02-04 Thu 17:32] | work, meeting | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*didi Posture][didi Posture]] | | | | 1:28 |
| [2021-02-04 Thu 10:25] | work, review | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*morning review tour][morning review tour]] | | | | 7:07 |
| [2021-02-04 Thu 10:24] | work | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*test and discussion about CSA Migration][test and discussion about CSA...]] | | | | 1:11 |
#+END:
*** MEETING didi Posture :work:meeting:
:LOGBOOK:
CLOCK: [2021-02-04 Thu 17:32]--[2021-02-04 Thu 19:00] => 1:28
:END:
[2021-02-04 Thu 17:32]
Best user experience, etc..
Create a response issue about OAuth2/OIDC/trusted clients.
#+begin_src
{
"scopes": [
"openid","profile"
],
"description": "string",
"redirects": [
"https://127.0.0.1:5443/callback"
],
"availability": "everyone",
"name": "int-posture-test",
"grants": [
"auth-code"
],
"audiences": [
"posture"
]
}
#+end_src
*** REVIEW morning review tour :work:review:
:LOGBOOK:
CLOCK: [2021-02-04 Thu 10:25]--[2021-02-04 Thu 17:32] => 7:07
:END:
[2021-02-04 Thu 10:25]
*** DONE test and discussion about CSA Migration :work:
:LOGBOOK:
CLOCK: [2021-02-04 Thu 09:14]--[2021-02-04 Thu 10:25] => 1:11
:END:
[2021-02-04 Thu 10:24]
** 2021-02-05 Friday
:PROPERTIES:
:collapsed: true
:END:
#+BEGIN: clocktable :scope subtree :maxlevel 4 :timestamp t :link t :tags t :narrow 36! :match "work"
#+CAPTION: Clock summary at [2021-02-05 Fri 13:58]
| Timestamp | Tags | Headline | Time | | | |
|------------------------+--------------+-------------------------------------------+--------+---+------+------|
| | | *Total time* | *2:59* | | | |
|------------------------+--------------+-------------------------------------------+--------+---+------+------|
| | | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-02-05 Friday][2021-02-05 Friday]] | | | 2:59 | |
| | work, chat | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Team discussion][Team discussion]] | | | | 0:36 |
| [2021-02-05 Fri 11:34] | work, review | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Ambrose review][Ambrose review]] | | | | 0:28 |
| [2021-02-05 Fri 09:49] | work, chat | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Client creation review with Diana][Client creation review with Diana]] | | | | 1:55 |
#+END:
*** IN-PROGRESS playing? :work:
:LOGBOOK:
CLOCK: [2021-02-05 Fri 13:57]--[2021-02-05 Fri 14:57] => 1:00
:END:
[2021-02-05 Fri 13:57]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Ambrose review][Ambrose review]]
*** CHAT Team discussion :work:chat:
:LOGBOOK:
CLOCK: [2021-02-05 Fri 11:42]--[2021-02-05 Fri 12:18] => 0:36
**** REVIEW Ambrose review :work:review:
:LOGBOOK:
CLOCK: [2021-02-05 Fri 11:14]--[2021-02-05 Fri 11:42] => 0:28
:END:
[2021-02-05 Fri 11:34]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Client creation review with Diana][Client creation review with Diana]]
*** CHAT Client creation review with Diana :work:chat:
:LOGBOOK:
CLOCK: [2021-02-05 Fri 09:19]--[2021-02-05 Fri 11:14] => 1:55
:END:
[2021-02-05 Fri 09:49]
- ref :: https://ui-staging.int.iroh.site/platform/sx-help-docs-1-66-db/help/settings-api-clients
Hi Diana,
Thanks for reaching out.
While reviewing the doc, I also checked the second screenshot.
I think it should be changed by another one.
The screenshot was made by a super user, so the scopes displayed are
private one that none of our customer will ever see.
The main difference between a "Client Credentials Grant Client"
and an "Authorization Code Grant Client" (those are the technically correct
and kind of bad names for the two different kind of clients) is that:
1. /Client Credentials Grant Client/ are for your user only. Also you do
not need to own a website.
2. /Authorization Code Grant Client/ can be used to ask other users to
trust your application. You need to have a website to host your
application.
The reason why a customer would want to configure an /Authorization Code
Grant Client/ could be:
1. The customer follow a documentation provided by Cisco to integrate a
on-premise product. In that case, the customer will probably need to
only select a /client-preset/ and enter a custom /Redirect URL/.
2. The customer want to build an integration with SecureX. In this case
this will be an advanced usage and the creator will probably be a developer.
In this case the advanced developer doc should be mentionned for that customer.
https://visibility.amp.cisco.com/iroh/doc/iroh-auth/
So both kind of clients are sufficiently different that I think the section
about "Using API Client Credentials to Get Access Token" should be moved
just after the API client creation section and before OAuth Code client
creation section.
Also Explaining how to retrieve the access token from a Authorization Code
Grant client is quite a technically advanced topic. This is why I would
advise to directly provide a link to the advanced developer doc (the one
inside IROH not the Cisco DEVNET; thus
https://visibility.amp.cisco.com/iroh/doc/iroh-auth/)
So I think it is important to mention important limitations about those
client creations.
There is a notion of "Auto-approved clients".
So a customer will be able to create clients but if some criteria are not
met the client will be disabled until an IROH admin approve the client.
I think this should probably need to be talked about with someone in the
UI/UX team. This system was very convenient for our advanced usage, but I
don't know how to handle that nicely in the UI.
So here are (some) of the constraints a newly client must have to be
automatically approved:
1. The URL must start with =https://=
2. The URL must not contain any wildcard =*=
3. The Availabily must not be =everyone=
4. The client contain some restricted scope (this should never occurs as
the UI take care to show only scopes not subject to restriction)
5. The client must not be =public= (the UI does not appear to provide the
confidential vs public option)
6. The client configure a list of specific =audiences= (the UI does not
appear to provide any mean to configure this field)
I think for the documentation perspective we should only be concerned by
point 1, 2 and 3.
And this should probably be mentionned.
I think we could probably give a few hints.
So in your point 6
> Enter the Redirect URL that the authorization server uses to redirect back to the application.
> Click Add another Redirect URL to enter multiple URLs.
I think you should probably mention that all URL must start with =https://=
and should not contain any =*=.
And for point 7
> Choose the Availability from the drop-down list. You can make the client
> available to User, Organization, or Everyone.
You should probably mention that selecting Everyone is subject to approval
and will need the intervention of a Cisco Administrator to approve your client.
We should probably add a short sentence explaining what is Availbility for.
This is not an OAuth2 standard field.
Availabilty "Org" mean that only member of your own Organization will be
able to approve your client and this should probably be your default choice.
I hope I have been helpful.
Do not hesitate to reach out if you have more questions.
Reference in a new issue View git blame Copy permalink