Skip to content

SSO: Login/Logout#8

Draft
louispt1 wants to merge 3 commits into
mainfrom
sso
Draft

SSO: Login/Logout#8
louispt1 wants to merge 3 commits into
mainfrom
sso

Conversation

@louispt1

@louispt1 louispt1 commented Jul 6, 2026

Copy link
Copy Markdown
Member

Context

Simplify identity gem to a shared JWT session cookie, rely on jwt not json-jwt.

  • etm_session cookie as JWT:
    Replaces Identity::Session/AccessToken/InvalidGrantRecovery/Serializer and the silent-SSO probe (routes remain, but ?prompt=none, silent.html.erb, and the hint-cookie helpers are gone) with a single Identity::ResourceServer concern plus a unified session_cookie_token/claims-to-User path (Identity::User.from_jwt_claims).

  • Rewrites TokenDecoder on the jwt gem (native JWKS loader with kid rotation) instead of the previous custom json-jwt implementation; it now returns a HashWithIndifferentAccess of claims rather than a plain Hash, so downstream consumers can read claims by string or symbol key.

  • Controller helpers and error handling etc were trimmed down to what is actually necessary under this cookie-JWT approach

  • the two independent "claims → User" mappers have been unified into one (Identity::User.from_jwt_claims), and the two independent token-extraction paths (API bearer vs. browser cookie) onto one shared cookie reader.

Quirks / notes:
  • We may want to consider the fact that the Resource::Server may not be necessary if etengine/etmodel don't expose public APIs anymore at some stage? I guess this is for far in the future as we will keep v3/v1 for a while for backwards compatibility at least.
  • I think we should retire the access_token passthrough that is only used by etmodel - the routes should rely on the cookie JWT only. At the moment this is used in three places, the api_passthru_controller, co2_factsheet_options and application_helper's boot-payload token. I did not change these as part of this effort as the scope was beginning to sprawl...

Related - Goes with the other SSO: Login/Logout PRs:

identity rails
etengine
etmodel
myetm
collections
ETLauncher

Checklist

  • I have tested these changes --> NOTE: These changes were tested on the ETLauncher bridge network. Testing the federated cookie setup on the standard dev setup will not work because cookies cannot be federated across localhost as a domain
  • I have updated documentation as needed (comments only)
  • I have tagged the relevant people for review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant