@Jeeppler

Login mechanism

We will provide UI login by OpenIDConnect and technical access via apiToken.

So login to OpenID provider is necessary for UI but not for technical access like done for jenkins builds using sechub - means: If OpenID provider is down a build server is still able to access sechub...

How do we handle UI login and apiToken access parallel?

• WebUI will have own spring boot application (called "UI backend")
• uiToken is never given to client side, only resides in server session (so wellknown here)
• UI backend will communicate by existing REST API to sechub server
  • REST calls do not differ: everything possible by rest api is also available by ui, we only
    differ authentification way!
  • Oauth provider will create access token with timeout.
  • The access token and timeout information will be stored by UI backend (bcrypt encrypted like apiToken, but wellknown inside user session of UI backend). Storage will be done via technical user, maybe new role necessary "system" is necessary.
  • UI backend must handle 401 by recall to open id provider and reset uiToken inside auth

Technology decisions

• we use simple MVC approach (spring boot standard)
• Template engine (we use Thymeleaf, which supports also layouts etc. see https://www.thymeleaf.org/doc/articles/layouts.html)
• later we will use this UI also for users and owners
• Basic Auth over HTTPS is also used for ui token handling so UI and apiToken based is possible parallel

Issue-Tracking

• we will integrate paging on server side for dedicated use cases by dedicated issues
• this issue tracker is main issue and will reference sub issues

from sechub.