Authentication issue on webviz #87
Comments
|
Could you elaborate? |
|
This needs to be discussed with the webviz team and followed up with them. They should have initiated a discussion with security people regarding what to do |
|
@asnyv : We discussed this before vacation. One of the problems was that webviz uses HTTPS and installs an SSL cert for you. This doesn't work out of the box on Ubuntu / macOS (missing dependencies). I've additionally not had any success trying to use Firefox. Webviz refuses to run without creating a cert, but I still get the scary SSL page from Firefox, making everything pointless. In our discussion, Anders said that his concern was that users are conditioned to look for the lock icon left of the address bar signifying a secure connection, and that this doesn't exist when using plain HTTP. While HTTP with authentication tokens is entirely secure within Equinor, the user doesn't get confirmation from their browser. He said he'd ask IT security about what to do in that case. Did anything come out of it? |
|
I did a new visual test in Firefox and Chromium (last one was two years ago), and I would say we also from a pedagogical point of view today can safely remove https localhost. Here are my results in recent versions of the two: Firefox address bar for external http (non-localhost): I.e. it is only when clicking on the information logo in Chromium the "Your connection is not secure" appears with recent browser versions. In Firefox even clicking on the logo does not show this for localhost 👍 (they split visual behavior even more between localhost and non-localhost). I would therefore now vote for simply 🔪 away the HTTPS/SSL code in When the code removal in equinor/webviz-config#290 is done, equinor/webviz-config#332 should maybe also be considered (e.g. in some "deprecation period" instruct browser through appropriate header to not use HTTPS on webviz localhost, such that users are not redirected to non-existing https due to "browser memory"). |
|
That sounds good @anders-kiaer ! Would your team prioritize this issue in near future - as it will make our lives easier pushing the test of the visualization in ERT to more people. |
|
@oysteoh that might be possible. Near future is of course a very relative term... I have to ask though: If you have the resources and are willing to look into the issues yourselves, we are very open for contributions to Not sure if the challenges in equinor/webviz-config#332 makes it necessary to do the two issues in order with some period in between, to avoid that existing webviz+Chrome users are redirected to https anyways? Haven't looked into these issues before myself. |
|
@asnyv we can put this into our priorities now and will have a go at it! If it is not too complicated / time consuming we will fix. |
|
That would be perfect @oysteoh 🤩 Thanks a lot! |
Currently the users getting logged out after a while, and it is not optimal how webviz does authentication. We should poke webviz team and make sure this is getting solved in a proper way by them or making an agreement that we will fix it.
The text was updated successfully, but these errors were encountered: