Syncing User Access as an Ecosystem Partner
Last updated 15 November 2016
Multiple Heroku users can access an add-on through the Add-ons single sign-on integration. Their authorization for a given add-on is based on the attached app’s permissions.
Today, the SSO integration only tells the add-on partner the Heroku user’s email address. Originally, it was intended that the email address might just be used for display, to indicate that the add-on knows who the user is and that they are authorized. However, add-ons often have their own login systems, or use third-party OAuth to services like GitHub to gain additional capabilities. Add-on parters would like to consolidate these user records with the requests coming in from Add-ons SSO requests. Partners also need to know when to revoke access outside of the typical Add-ons SSO requests when things like third party OAuth logins have been used.
This article shows an implementation of a user access list, utilizing the Unified API for Partners.
- Access and use of the Unified API
- Recording Heroku add-on resource UUIDs on provision or by fetching from the existing Get App Info API endpoint – we highly recommend that you start saving them off of the Get App Info API if you aren’t already, since the resource UUID will never change and is the primary ID for accessing the Unified API.
There are two concepts in Heroku that you must be familiar with to build this functionality.
The first concept is app collaborators. These are users which have been granted access to an app by an app’s owner.
The second concept is an Organization and the organization’s member list. A user can appear on either an app’s collaborators list, or on a member list of an organization which owns an app. You will have to request both the app’s collaborators list and the org members list to build a full list of users with access to an add-on.
To get a full list of Heroku users with access to an app, you’ll need to request:
- GET https://api.heroku.com/addons/:resource_uuid -> grab the app name
- GET /apps/:app_name/collaborators -> A list of app collaborator users
- GET /apps/:app_name -> Check for “organization” object as part of the serialized response, save the Organization’s UUID if present.
- If org app per above: GET /organizations/:org_uuid/members - you’ll want
role: "member"in particular out of this list
To detect whether an app is owned by an org, you will look in
GET /apps/:app_name’s response for an
"organization" object. Pull out the Organization’s UUID from this object. Then request the
GET /organizations/:org_uuid/members endpoint and select the records that have
role: "member" in that list. Combine this list with the app collaborators list from above.
In the future, we’d like to open up some sort of standardized endpoint that indicates what users an add-on has access to through all apps or particular apps, but we don’t have that pattern for indicating access in our API yet. If you have suggestions for how such an endpoint might work, please get in touch with the Ecosystem team.