feat: add authentication documentation for REANA JupyterLab extension #35
Conversation
|
|
||
| ## Token Reuse | ||
|
|
||
| The REANA JupyterLab extension automatically reuses your existing VRE-issued JWT access token - the same one that authenticated your current JupyterLab session. **No additional login or authentication steps are required** to start using REANA through the extension. |
There was a problem hiding this comment.
| The REANA JupyterLab extension automatically reuses your existing VRE-issued JWT access token - the same one that authenticated your current JupyterLab session. **No additional login or authentication steps are required** to start using REANA through the extension. | |
| The REANA JupyterLab extension automatically reuses the existing JWT access token issued by the IdP, corresponding to the one that authenticated the current JupyterLab session. **No additional login or authentication steps are required** to start using REANA through the extension. |
There was a problem hiding this comment.
I was unsure how to mention that the token is VRE requested. The VRE initiates the token request itself, hence I have mentioned like this, but I can see that it is incorrect. I will change it to your suggestion
There was a problem hiding this comment.
Thanks! "VRE-issued" it's definitely NOT incorrect (in a sense it is true), but in the perspective of having this documentation usable by a broader audience than the VRE one, I think it's better to generalise the fact that it doesn't matter the token provenance, the only important thing is that it's a valid token :)
|
|
||
| ## Optional Connection Configuration | ||
|
|
||
| You can manually configure the connection to a different REANA instance by: |
There was a problem hiding this comment.
| You can manually configure the connection to a different REANA instance by: | |
| You can still manually configure the connection to a different REANA instance by: |
|
|
||
| 1. Opening the REANA sidebar tab | ||
| 2. Clicking on the connection settings icon | ||
| 3. Entering a custom server URL and/or access token |
There was a problem hiding this comment.
| 3. Entering a custom server URL and/or access token | |
| 3. Entering a custom server URL and access token |
| No refresh token is stored; only the short‑lived access token is passed. | ||
|
|
||
| ### Token storage (UI extension vs CLI) | ||
| UI / JupyterLab extension: |
There was a problem hiding this comment.
| UI / JupyterLab extension: | |
| The UI / JupyterLab extension: |
docs/reana.md
Outdated
| Waiting for authorization... | ||
| ``` | ||
|
|
||
| > **Important:** When using the `reana-client auth` command, please note that the VRE JupyterLab extension may not be automatically updated with your new authentication token. If you're using both the command-line client and the JupyterLab extension, you may need to restart your JupyterLab session for the extension to recognize your new authentication status. |
There was a problem hiding this comment.
| > **Important:** When using the `reana-client auth` command, please note that the VRE JupyterLab extension may not be automatically updated with your new authentication token. If you're using both the command-line client and the JupyterLab extension, you may need to restart your JupyterLab session for the extension to recognize your new authentication status. | |
| :::warning[Important] | |
| When using the `reana-client auth` command, please note that the VRE JupyterLab extension may not be automatically updated with your new authentication token. If you're using both the command-line client and the JupyterLab extension, you may need to restart your JupyterLab session for the extension to recognize your new authentication status. | |
| ::: |
There was a problem hiding this comment.
Also, please have a look at https://github.com/vre-hub/vre-hub.github.io/actions/runs/16969223016/job/48101346774?pr=35
Just ping if you need any Docusaurus related help
This change ensures all packages are the same version to avoid dependency conflicts.
| 2. Checking if you can see your workflows listed | ||
| 3. Opening a workflow detail panel to see its contents | ||
|
|
||
| If these actions succeed, your authentication is working correctly. If you see "unauthorized" errors or empty lists where you expect content, there may be an authentication issue. |
There was a problem hiding this comment.
Is the unauthorized feature developed and implemented ?
There was a problem hiding this comment.
The "unauthorized" message is my assumption for an error message that could appear if something goes wrong.
This PR contains documentation about multiple things that have not been developed and implemented, and I had to assume and think through some of the issues/challenges that may arise. Do you think it could be useful to make the docs more abstract and this paragraph to avoid specific values?
There was a problem hiding this comment.
Small comments, otherwise looks fine to me ! Good job @tomondre !
|
|
||
| ## Token Reuse | ||
|
|
||
| The REANA JupyterLab extension automatically reuses the existing JWT access token issued by the IdP, corresponding to the one that authenticated the current JupyterLab session. **No additional login or authentication steps are required** to start using REANA through the extension. |
There was a problem hiding this comment.
add something like "...the current JupyterLab session - in the case of the VRE, the ESCAPE INDIGO IAM"
|
|
||
| You can still manually configure the connection to a different REANA instance by: | ||
|
|
||
| 1. Opening the REANA sidebar tab |
There was a problem hiding this comment.
- Open Reana JupyterLab by clicking on the REANA icon in the JupyterLab sidebar.
| You can still manually configure the connection to a different REANA instance by: | ||
|
|
||
| 1. Opening the REANA sidebar tab | ||
| 2. Clicking on the connection settings icon |
|
|
||
| 1. Opening the REANA sidebar tab | ||
| 2. Clicking on the connection settings icon | ||
| 3. Entering a custom server URL and access token |
There was a problem hiding this comment.
Enter a REANA server URL and the REANA access token.
| 2. Clicking on the connection settings icon | ||
| 3. Entering a custom server URL and access token | ||
|
|
||
| This is useful if you need to connect to a different REANA instance than the default one configured for VRE. |
There was a problem hiding this comment.
This sentence doesn't add any relevant information.
Please change it with the last paragraph of the page you removed:
After connecting to the REANA server, a notification will appear in the bottom right corner of the screen indicating that the connection was successful. You can now interact with the REANA server from within JupyterLab.
| @@ -5,6 +5,30 @@ Explore Reana on the software's [official documentation](https://docs.reana.io/) | |||
|
|
|||
| You can find other examples of differen workflow languages on the [official Reana documentation](https://docs.reana.io/advanced-usage/access-control/rucio/). | |||
|
|
|||
| # Authentication with reana-client | |||
|
|
|||
| The REANA client provides a command-line interface for authenticating with the REANA server. You can use the `reana-client auth` command which initiates an OAuth 2.0 device flow authentication: | |||
There was a problem hiding this comment.
Please add a link for oauth2.0 so that people can educate themselves, for example
https://auth0.com/intro-to-iam/what-is-oauth-2
or https://oauth.net/2/
(I prefer first link, more user-friendly. Thoughts @Soap2G)
| @@ -65,3 +65,33 @@ kubectl exec -i -t deployment/reana-server -n reana -- flask reana-admin token-g | |||
|
|
|||
| 6. Navigate to `reana-vre.cern.ch` and log in with your IAM credentials. | |||
|
|
|||
| ## JupyterLab REANA Extension Authentication | |||
|
|
|||
| This section explains how the VRE-provided JWT used by the REANA JupyterLab extension is injected, accessed and refreshed (or not) during a user session. | |||
There was a problem hiding this comment.
user friendly explanatory link for JWT too, please.
| No refresh token is stored; only the short‑lived access token is passed. | ||
|
|
||
| ### Token storage (UI extension vs CLI) | ||
| The UI / JupyterLab extension: |
There was a problem hiding this comment.
By UI you mean the Jupyterlba extension, right ? In this case remove UI to avoid misunderstandings, please
| - Uses this token for all API calls to the REANA server. | ||
|
|
||
| CLI (`reana-client`): | ||
| - Loads the token from the REANA config file written at spawn (or later replaced by running `reana-client auth`, which performs an OAuth 2.0 device flow and rewrites the stored token). |
There was a problem hiding this comment.
change it with written "during the spawning of the user session"
| During user pod creation the VRE spawner: | ||
| - Obtains (or reuses) the user's already validated access token. | ||
| - Injects it as an environment variable (`REANA_ACCESS_TOKEN`). | ||
| - Writes a lightweight config file with the token for `reana-client` CLI |
There was a problem hiding this comment.
Add a point at the end of the sentence, please
The main updates provide detailed explanations of how authentication tokens are managed, how users can verify or troubleshoot authentication, and the differences between the UI extension and CLI workflows.