Added a UI for confirming OAuth Access. #11464
Conversation
|
Thanks for the pull request, @justinabrahms! I've created OSPR-1131 to keep track of it in JIRA. JIRA is a place for product owners to prioritize feature reviews by the engineering development teams. Feel free to add as much of the following information to the ticket:
All technical communication about the code itself will still be done via the GitHub pull request interface. As a reminder, our process documentation is here. |
openedx-webhooks
added
open-source-contribution
|
@justinabrahms thank you for the gif clarifying your emotional state! If others were as good at finding gifs, I might add that section to the usual PR cover letter template :) Are there any tests around this kind of UI? It seems like the kind of fragile corner that might break. @clintonb @jimabramson If you wouldn't mind... |
| <div class="authorization-confirmation"> | ||
| {% if not error %} | ||
| {% blocktrans with application_name=client.name %} | ||
| <p><strong>{{ application_name }}</strong> would like to access your data with the following permissions:</p> |
There was a problem hiding this comment.
It'd be better to leave the <p> and </p> tags outside the blocktrans.
|
@edx/doc this seems like it will need docs. |
| {% endfor %} | ||
| </select> | ||
| </div> | ||
| <input type="submit" class="btn login large danger" value="Cancel" /> |
There was a problem hiding this comment.
Should this be a submit button? Is there anyway we can simply redirect without the POST submission?
There was a problem hiding this comment.
Based on the underlying library.. yes. This should be a submit button. We could do this all client-side, if that's what you mean, but that would be a bigger departure from the underlying library than I feel comfortable with. See here:
https://github.com/edx/django-oauth2-provider/blob/edx/provider/views.py#L397
|
This looks great, but we need tests, ideally at the acceptance level to better facilitate the eventual replacement of django-oauth2-provider with django-oauth-toolkit. |
|
@clintonb This is my first bokchoy test. It's unclear how I populate data into the database. It seems like I can't start from a working state, and must, instead, built a working state from scratch. I think this means creating superusers, clicking around in the admin to setup an oauth app, then actually performing the tests. Can you confirm that this is expected? How do I create the initial super user to access the admin? I need to create an oauth application. This either means writing it into the database (which I can't seem to do, given I don't have access to a django context) or doing it through the admin (for which I'll need an admin user I can access). edit: found out how to run faster bokchoy tests |
|
@justinabrahms I can't recall writing tests for edx-platform; but, for ecommerce, we need to setup data before the tests run. I must defer to @benpatterson and @jzoldak regarding fixtures/data setup for edx-platform. |
|
@justinabrahms here is some hopefully helpful information:
Development/troubleshooting tips:
|
|
This now has acceptance tests, as requested. |
| """ | ||
| Pages relevant for OAuth2 confirmation. | ||
| """ | ||
| from . import BASE_URL |
There was a problem hiding this comment.
Done. No other acceptance test uses absolute imports for these things. If this is something you care about, you might consider filing a ticket for it.
|
👍 |
| """ | ||
| self._auth() | ||
| self.oauth_page.scopes = ('email', 'does-not-exist') | ||
| assert self.oauth_page.visit().is_browser_on_page() |
There was a problem hiding this comment.
Bok choy's visit method has the assertions for being on the page built-in, so instead you should simply do self.oauth_page.visit()
|
This is ready for another round of review. AFAIK, all comments have been addressed. As I mentioned to Clinton, if you want absolute imports on acceptance tests, no other file does this. You might consider filing a ticket to clean it up in the future. |
|
Ticket filed to clean imports: https://openedx.atlassian.net/browse/TE-1194 |
|
What's left to be done on this PR? edx notes bokchoy tests are failing. As are lettuce tests. Looking at the error messages, it doesn't appear to have anything to do with my work. Would love to push this along. :) |
|
Hey @justinabrahms I think those tests need to be addressed. Perhaps it is an easy fix, but I suspect something is breaking them (at least, for bok-choy). From what I recall, the Notes tests do rely on some oauth settings; I just don't know or remember what the dependency is, exactly. I could potentially help you debug them early next week if you need a hand. |
|
jenkins run lettuce |
|
I am unfamiliar with edx Notes, but looking quickly at the bok-choy server log from a failed test run my first guess is that you'll need to add another oauth client to the oauth.json fixture with a client_id of edx-notes. I haven't looked into it closely enough to understand why the tests worked before (when the ENABLE_OAUTH2_PROVIDER feature flag was not turned on.) HTH. |
|
Tests now pass. Next steps? |
|
@justinabrahms, I will merge after you squash your commits and all tests pass. It looks like only the a11y test ran on your most recent commit. |
|
And here I was all excited. :-/ Thanks. |
justinabrahms
force-pushed
the
oauth-confirmation-views
branch
from
61a466c
to
4c8754d
Compare
This will allow users to delegate permissions to a 3rd party service.
justinabrahms
force-pushed
the
oauth-confirmation-views
branch
from
4c8754d
to
885785d
Compare
|
All of the tests have passed. 🏈 The commits have been squashed. |
Added a UI for confirming OAuth Access.
What are the relevant tickets?
Fixes mitocw#176
No JIRA ticket that I know of, but this continues the work mentioned in https://groups.google.com/forum/#!searchin/edx-code/justin$20abrahms/edx-code/BS0oowwARlM/2SHqJmtuBwAJ
What's this PR do?
Adds a UI for OAuth access, which allows users to delegate permissions to 3rd party services.
Where should the reviewer start?
A familiarity with django-oauth2-provider is essential, as this PR is just some custom templating around that library's workings. I think @clintonb or @jimabramson are probably good candidates to review this from the oauth side.
How should this be manually tested?
The client_id is the one you made. Scopes are space separated. Valid scopes are: default, openid, profile, email, course_staff, course_instructor, and permissions.
Clicking cancel will take you to your redirect url with access_denied in the URL. Clicking accept will send you to the redirect url with the authorization code to continue the oauth flow.
Any background context you want to provide?
This is relevant for interacting with edX as a third party application, which MIT will need for upcoming feature work. Specifically, solving the "who is this user on edx?" question is difficult and error prone without this capability.
This affects LMS only (afaik), but will be an authorization avenue for all edX users.
The template was copied from django-oauth2-provider repository and edited to integrate with
main_django.htmland provide some styling hooks.Screenshots (if appropriate)
(the box is an artifact of screen capture, not in the actual page)
What gif best describes this PR or how it makes you feel?