Skip to content

SSO: Login/Logout#1776

Draft
louispt1 wants to merge 1 commit into
masterfrom
sso
Draft

SSO: Login/Logout#1776
louispt1 wants to merge 1 commit into
masterfrom
sso

Conversation

@louispt1

@louispt1 louispt1 commented Jul 6, 2026

Copy link
Copy Markdown
Member

Context

Adopt shared JWT session cookie for authentication, retire per-app OAuth session

  • Replaced the local acess-token/session-based sign-in with the domain-wide etm_session cookie minted by MyETM.
  • base controller now includes Identity::ResourceServer and resolves users via decoded_token instead of the custom Auth header parser
  • application controller resolves current_user via User.from_jwt! against the cookie's claims
  • ETEngine::TokenDecoder is replaced with Identity::TokenDecoder (unified logic in the identity gem). Other superceded methods also retired or unified into the gem for etengine and etmodel
  • User.from_jwt! now also sets identity_user from the token's claims on every call (not just at row creation), so admin/email/roles changes at the identity provider are reflected without waiting for the local row to be recreated.
    • This will need revisiting when we decide: "Who owns user data and when is it passed between apps?"
  • Adds credentialed CORS for the ETM subdomains that call the API with the session cookie, alongside the existing wildcard-origin bearer-token CORS block for PATs.

Related - Goes with the other SSO: Login/Logout PRs:

identity rails
etengine
etmodel
myetm
collections
ETLauncher

Checklist

  • I have tested these changes --> NOTE: These changes were tested on the ETLauncher bridge network. Testing the federated cookie setup on the standard dev setup will not work because cookies cannot be federated across localhost as a domain
  • I have updated documentation as needed (comments only)
  • I have tagged the relevant people for review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant