CPS-VO WebGME Authentication

Any design studio that is embedded on the VO must be served over SSL with a valid certificate signed by a certificate authority (no self-signed certs). We also require that there be documentation with an exemplar to help a user new to the tool get started and familiarize themselves with the features. Lastly, as an open-source platform that exists to promote and share technologies with the goal of advancing science, we ask that source materials for reproducing and validating the setup of the tool are made available so others can setup a local copy if they so desire for offline use.

The following steps are necessary specifically for integrating a WebGME-based design studio:

1. Key Generation

Before enabling authentication we must generate the RSA Keys. These are used by the server to encrypt (the private key) and decrypt (the public key) the tokens containing the user-id. If we do not generate our own keys and set the configuration to use these new keys, the example keys checked into the webgme repo will be used (which of course is a pretty bad idea).

  1. Create a new directory, token_keys, outside of the repository (if not guarded against all files under the cwd of the express server can accessed).
  2. Using openssl (available for windows, the first step is to generate a private key
    openssl genrsa -out token_keys/private_key 1024 
    and from it generated a public key
    openssl rsa -in token_keys/private_key -pubout > token_keys/public_key

2. WebGME Configuration

Once the keys are generated on the webgme server, send the private key to the CPSVO team for WebGME-CPSVO authentication integration.

Add following configuration options on the WebGME for CPS-VO integration example in the file : webgme/config/config.default.js


#enable authentication
config.authentication.enable = true;

#allow users to create projects from V2.12 webgme version
config.authentication.inferredUsersCanCreate = true;

#disable guest authentication
config.authentication.allowGuests = false;

#disable user registration
config.authentication.allowUserRegistration = false;

#Login and logout URLs should point to the CPS_VO_GROUP
config.authentication.logInUrl = 'http://cps-vo.org/group/CPS_VO_GROUP_NAME'
config.authentication.logOutUrl = 'http://cps-vo.org/group/CPS_VO_GROUP_NAME'

#This assumes the keys are placed outside the webgme-app folder. i.e. in the `../../token_keys` directory
config.authentication.jwt.privateKey = path.join(__dirname, '..', '..', 'token_keys', 'private_key');
config.authentication.jwt.publicKey = path.join(__dirname, '..', '..', 'token_keys', 'public_key');