Story #12995
Updated by Peter Amstutz almost 7 years ago
Use case: A user has a new authentication (eg Google) account. User has previously logged in using some other authentication account (eg LDAP) and already has an Aravdos account. User wants to link their existing Arvados account to the new authentication account so that when they log in with the new authentication account, they are logged into their existing Arvados account. h2. Entry points # User is logged in to Workbench using old authentication account, selects "link a new authentication method" from menu # User attempts to log in using new authentication account, gets an inactive account page # User attempts to log in using new authentication account, is logged into a new active empty account. h2. Flow for (1) # On workbench, click on "link new auth method" # Browser stashes the API token in session storage # Browser is sent to api_server/logout?return_to=http://workbench/link_accounts api_server/logout?return_to=http://workbench/link_accounts?link_to=api_token # Browser is logged out from API and SSO, and redirected to workbench link_accounts page with "link_to" containing the api token of the old Arvados account # Workbench redirects browser to api_server/login?return_to=http://workbench/link_accounts api_server/login?return_to=http://workbench/link_accounts?link_to=api_token # User logs in and browser is sent back to workbench with &api_token=... of new Arvados account # Workbench now has both API token of the old account (in session storage), to link to, and an api_token of the newly logged in created account # Browser determines which user account should be merged into the other (based on account creation time, whether it is "empty") # Browser displays a confirmation page stating one account will be linked saying what it about to the other do # Workbench sends request to API server to link one account to make the other (#12626) user that owns api_token an alias for the user in link_to # Workbench uses sets the link_to API token of in the linked account, cookie, and presents the user with a "success" page h2. Flow for (2) # User is at inactive user page. Text says "if you have logged in with a different account, click here to link your account" # Do (1) starting Browser is sent to api_server/logout?return_to=http://workbench/link_accounts?link_from=api_token # Browser is logged out from 2 API and SSO, and redirected to workbench link_accounts page with "link_from" containing the api token of the new Arvados account # Workbench redirects browser to api_server/login?return_to=http://workbench/link_accounts?link_from=api_token # User logs in and browser is sent back to workbench with &api_token=... of old Arvados account # Workbench now has both API token of the account to link from, and an api_token of the old account # Browser displays a confirmation page saying what it about to do # Workbench sends request to API server to make the user that owns link_from an alias for the user in api_token # Workbench sets the api_token API token in the cookie, and presents the user with a "success" page h2. Flow for (3) # Same as (1) (workbench figures out which way In the notifications area of workbench, if the user account linking goes) seems to be "empty", provide message "if you have logged in with a different account, click here to link your account" # Do flow for (2)