gds-sso 9.2.7 → 9.3.0

data/Gemfile

@@ -2,3 +2,10 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in gds-sso.gemspec
 gemspec
+
+# The test suite currently assumes a Rails 3.2 client.
+# TODO: Investigate a matrix build against multiple Rails versions.
+gem 'rails', '~> 3.2.19'
+
+## Gems added to resolve dependency resolution
+gem 'mechanize', '2.6.0'

data/lib/gds-sso.rb

@@ -2,6 +2,7 @@ require 'rails'
 
 require 'gds-sso/config'
 require 'gds-sso/warden_config'
+require 'omniauth'
 require 'omniauth-gds'
 
 module GDS
@@ -32,12 +33,8 @@ module GDS
           }
       end
 
-      def self.use_mock_strategies?
-        ['development', 'test'].include?(Rails.env) && ENV['GDS_SSO_STRATEGY'] != 'real'
-      end
-
       def self.default_strategies
-        use_mock_strategies? ? [:mock_gds_sso, :mock_gds_sso_api_access] : [:gds_sso, :gds_bearer_token]
+        Config.use_mock_strategies? ? [:mock_gds_sso, :gds_bearer_token] : [:gds_sso, :gds_bearer_token]
       end
 
       config.app_middleware.use Warden::Manager do |config|

data/lib/gds-sso/bearer_token.rb

@@ -0,0 +1,62 @@
+require 'multi_json'
+require 'oauth2'
+
+module GDS
+  module SSO
+    module BearerToken
+      def self.locate(token_string)
+        access_token = OAuth2::AccessToken.new(oauth_client, token_string)
+        response_body = access_token.get("/user.json?client_id=#{CGI.escape(GDS::SSO::Config.oauth_id)}").body
+        user_details = omniauth_style_response(response_body)
+        GDS::SSO::Config.user_klass.find_for_gds_oauth(user_details)
+      rescue OAuth2::Error
+        nil
+      end
+
+      def self.oauth_client
+        @oauth_client ||= OAuth2::Client.new(
+          GDS::SSO::Config.oauth_id,
+          GDS::SSO::Config.oauth_secret,
+          :site => GDS::SSO::Config.oauth_root_url
+        )
+      end
+
+      # Our User code assumes we're getting our user data back
+      # via omniauth and so receiving it in omniauth's preferred
+      # structure. Here we're addressing signonotron directly so
+      # we need to transform the response ourselves.
+      def self.omniauth_style_response(response_body)
+        input = MultiJson.decode(response_body)['user']
+
+        {
+          'uid' => input['uid'],
+          'info' => {
+            'email' => input['email'],
+            'name' => input['name']
+          },
+          'extra' => {
+            'user' => {
+              'permissions' => input['permissions'],
+              'organisation_slug' => input['organisation_slug'],
+            }
+          }
+        }
+      end
+    end
+
+    module MockBearerToken
+      def self.locate(token_string)
+        dummy_api_user = GDS::SSO.test_user || GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first
+        if dummy_api_user.nil?
+          dummy_api_user = GDS::SSO::Config.user_klass.new
+          dummy_api_user.email = "dummyapiuser@domain.com"
+          dummy_api_user.uid = "#{rand(10000)}"
+          dummy_api_user.name = "Dummy API user created by gds-sso"
+          dummy_api_user.permissions = ["signin"]
+          dummy_api_user.save!
+        end
+        dummy_api_user
+      end
+    end
+  end
+end

data/lib/gds-sso/config.rb

@@ -21,6 +21,10 @@ module GDS
       def self.user_klass
         user_model.to_s.constantize
       end
+
+      def self.use_mock_strategies?
+        ['development', 'test'].include?(Rails.env) && ENV['GDS_SSO_STRATEGY'] != 'real'
+      end
     end
   end
 end

data/lib/gds-sso/failure_app.rb

@@ -12,7 +12,9 @@ module GDS
       include Rails.application.routes.url_helpers
 
       def self.call(env)
-        if ! ::GDS::SSO::ApiAccess.api_call?(env)
+        if ::GDS::SSO::ApiAccess.api_call?(env)
+          [ 401, {'WWW-Authenticate' => %(Bearer error="invalid_token") }, [] ]
+        else
           action(:redirect).call(env)
         end
       end

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "9.2.7"
+    VERSION = "9.3.0"
   end
 end

data/lib/gds-sso/warden_config.rb

@@ -1,5 +1,6 @@
 require 'warden'
-require 'gds-sso/user'
+require 'warden-oauth2'
+require 'gds-sso/bearer_token'
 
 def logger
   if Rails.logger # if we are actually running in a rails app
@@ -65,82 +66,10 @@ Warden::Strategies.add(:gds_sso) do
   end
 end
 
-Warden::Strategies.add(:gds_bearer_token) do
-  def valid?
-    ::GDS::SSO::ApiAccess.api_call?(env) &&
-      ::GDS::SSO::ApiAccess.oauth_api_call?(env)
-  end
-
-  def authenticate!
-    logger.debug("Authenticating with gds_bearer_token strategy")
-
-    begin
-      access_token = OAuth2::AccessToken.new(oauth_client, token_from_authorization_header)
-      response_body = access_token.get('/user.json').body
-      user_details = omniauth_style_response(response_body)
-      user = prep_user(user_details)
-      success!(user)
-    rescue OAuth2::Error
-      custom!(unauthorized)
-    end
-  end
-
-  def oauth_client
-    @oauth_client ||= OAuth2::Client.new(
-      GDS::SSO::Config.oauth_id,
-      GDS::SSO::Config.oauth_secret,
-      :site => GDS::SSO::Config.oauth_root_url
-    )
-  end
-
-  def token_from_authorization_header
-    env['HTTP_AUTHORIZATION'].gsub(/Bearer /, '')
-  end
-
-  # Our User code assumes we're getting our user data back
-  # via omniauth and so receiving it in omniauth's preferred
-  # structure. Here we're addressing signonotron directly so
-  # we need to transform the response ourselves.
-  #
-  # There may be a way to simplify matters by having this
-  # strategy work via omniauth too but I've not worked out how
-  # to wire that up yet.
-  def omniauth_style_response(response_body)
-    input = MultiJson.decode(response_body)['user']
-
-    {
-      'uid' => input['uid'],
-      'info' => {
-        'email' => input['email'],
-        'name' => input['name']
-      },
-      'extra' => {
-        'user' => {
-          'permissions' => input['permissions'],
-          'organisation_slug' => input['organisation_slug'],
-        }
-      }
-    }
-  end
-
-  def prep_user(auth_hash)
-    user = GDS::SSO::Config.user_klass.find_for_gds_oauth(auth_hash)
-    custom!(unauthorized) unless user
-    user
-  end
-
-  def unauthorized
-    [
-      401,
-      {
-        'Content-Type' => 'text/plain',
-        'Content-Length' => '0',
-        'WWW-Authenticate' => %(Bearer error="invalid_token")
-      },
-      []
-    ]
-  end
+Warden::OAuth2.configure do |config|
+  config.token_model = GDS::SSO::Config.use_mock_strategies? ? GDS::SSO::MockBearerToken : GDS::SSO::BearerToken
 end
+Warden::Strategies.add(:gds_bearer_token, Warden::OAuth2::Strategies::Bearer)
 
 Warden::Strategies.add(:mock_gds_sso) do
   def valid?
@@ -168,27 +97,3 @@ Warden::Strategies.add(:mock_gds_sso) do
     end
   end
 end
-
-Warden::Strategies.add(:mock_gds_sso_api_access) do
-  def valid?
-    ::GDS::SSO::ApiAccess.api_call?(env)
-  end
-
-  def authenticate!
-    logger.debug("Authenticating with mock_gds_sso_api_access strategy")
-    dummy_api_user = GDS::SSO.test_user || GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first
-    if dummy_api_user.nil?
-      dummy_api_user = GDS::SSO::Config.user_klass.new(
-        {
-          email: "dummyapiuser@domain.com",
-          uid: "#{rand(10000)}",
-          name: "Dummy API user created by gds-sso"
-        },
-        {as: :oauth}
-      )
-      dummy_api_user.permissions = ["signin"]
-      dummy_api_user.save!
-    end
-    success!(dummy_api_user)
-  end
-end

data/spec/fixtures/integration/authorize_api_users.sql

@@ -1,4 +1,7 @@
 DELETE FROM `oauth_access_tokens`;
 
-INSERT INTO oauth_access_tokens VALUES
-  (NULL, 1, 1, 'caaeb53be5c7277fb0ef158181bfd1537b57f9e3b83eb795be3cd0af6e118b28', '1bc343797483954d7306d67e96687feccdfdaa8b23ed662ae23e2b03e6661d16', 307584000, NULL, '2012-06-27 13:57:47', NULL);
+INSERT INTO oauth_access_tokens (resource_owner_id, application_id, token, refresh_token, expires_in, created_at)
+  VALUES (1, 1, 'caaeb53be5c7277fb0ef158181bfd1537b57f9e3b83eb795be3cd0af6e118b28', '1bc343797483954d7306d67e96687feccdfdaa8b23ed662ae23e2b03e6661d16', 307584000, '2012-06-27 13:57:47');
+
+INSERT INTO oauth_access_tokens (resource_owner_id, application_id, token, refresh_token, expires_in, created_at)
+  VALUES (1, 2, '98c72f4da02fdc43398e029d05567542944d2a9b0df3c20b0accd8bd6c5dc728', 'e2da0489a58219fd4f542139909737627874ceacd2af23f5c268ccecb36e85af', 307584000, '2014-07-14 09:06:14');

data/spec/fixtures/integration/signonotron2.sql

@@ -8,10 +8,16 @@ DELETE FROM `users`;
 -- Setup fixture data
 INSERT INTO `oauth_applications` (id, name, uid, secret, redirect_uri, created_at, updated_at, home_uri, description)
               VALUES (1,'GDS_SSO integration test','gds-sso-test','secret','http://www.example-client.com/auth/gds/callback','2012-04-19 13:26:54','2012-04-19 13:26:54', 'http://home.com', 'GDS_SSO integration test');
+INSERT INTO `oauth_applications` (id, name, uid, secret, redirect_uri, created_at, updated_at, home_uri, description)
+              VALUES (2,'A different appilcation','application-2','different secret','http://www.example-client2.com/auth/gds/callback','2014-07-14-09:07:32','2014-07-14-09:07:32', 'http://www.example-client2.com', '');
+
 INSERT INTO `users` (id, email, encrypted_password, password_salt, created_at, updated_at, confirmed_at, name, uid, role)
               VALUES (1,'test@example-client.com','bb8e19edbaa1e7721abe0faa5c1663a7685950093b8c7eceb0f2e3889bdea4c5f17ca97820b2c663edf46ea532d1a9baa04b680fc537b4de8a3f376dd28e3ffd','MpLsZ8q1UaAojTa6bTC6','2012-04-19 13:26:54','2012-04-19 13:26:54','2012-04-19 13:26:54','Test User','integration-uid', "normal");
-INSERT INTO `permissions` (id, user_id, application_id, permissions) VALUES (1,1,1,"---
+
+INSERT INTO `permissions` (user_id, application_id, permissions) VALUES (1,1,"---
+- signin
+");
+INSERT INTO `permissions` (user_id, application_id, permissions) VALUES (1,2,"---
 - signin
 ");
-
 

data/spec/internal/log/test.log

@@ -1,376 +1,412 @@
 Connecting to database specified by database.yml
-   (18.4ms)  select sqlite_version(*)
-   (13.8ms)  CREATE TABLE "users" ("id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, "name" varchar(255) NOT NULL, "uid" varchar(255) NOT NULL, "email" varchar(255) NOT NULL, "remotely_signed_out" boolean, "permissions" text, "organisation_slug" varchar(255)) 
-   (8.5ms)  CREATE TABLE "schema_migrations" ("version" varchar(255) NOT NULL) 
-   (9.5ms)  CREATE UNIQUE INDEX "unique_schema_migrations" ON "schema_migrations" ("version")
+   (22.7ms)  select sqlite_version(*)
+   (16.0ms)  CREATE TABLE "users" ("id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, "name" varchar(255) NOT NULL, "uid" varchar(255) NOT NULL, "email" varchar(255) NOT NULL, "remotely_signed_out" boolean, "permissions" text, "organisation_slug" varchar(255)) 
+   (8.3ms)  CREATE TABLE "schema_migrations" ("version" varchar(255) NOT NULL) 
+   (9.0ms)  CREATE UNIQUE INDEX "unique_schema_migrations" ON "schema_migrations" ("version")
    (0.1ms)  begin transaction
-  SQL (31.3ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d36908"]]
-   (34.3ms)  commit transaction
+  SQL (4.0ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d36713"]]
+   (13.6ms)  commit transaction
    (0.1ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d32371"]]
-   (24.5ms)  commit transaction
+  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d34124"]]
+   (9.8ms)  commit transaction
 WARNING: Can't mass-assign protected attributes: uid, name, permissions
-Processing by Api::UserController#update as HTML
-  Parameters: {"uid"=>"a1s2d36908"}
-  Rendered /home/jenkins/workspace/govuk_gds_sso/app/views/authorisations/unauthorised.html.erb within layouts/unauthorised (0.3ms)
-Completed 403 Forbidden in 39.8ms (Views: 13.5ms | ActiveRecord: 0.0ms)
+Processing by Api::UserController#reauth as HTML
+  Parameters: {"uid"=>"a1s2d36713"}
+  Rendered /home/jenkins/workspace/govuk_gds_sso/app/views/authorisations/unauthorised.html.erb within layouts/unauthorised (0.2ms)
+Completed 403 Forbidden in 40.0ms (Views: 39.2ms | ActiveRecord: 0.0ms)
    (0.1ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d38535"]]
-   (12.5ms)  commit transaction
+  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d36796"]]
+   (10.5ms)  commit transaction
    (0.1ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d37781"]]
-   (10.3ms)  commit transaction
+  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d33045"]]
+   (11.3ms)  commit transaction
+Processing by Api::UserController#reauth as HTML
+  Parameters: {"uid"=>"nonexistent-user"}
+  User Load (0.3ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'nonexistent-user' LIMIT 1
+Completed 200 OK in 6.1ms (ActiveRecord: 0.3ms)
+   (0.1ms)  begin transaction
+  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d34574"]]
+   (10.8ms)  commit transaction
+   (0.1ms)  begin transaction
+  SQL (0.1ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d32625"]]
+   (11.6ms)  commit transaction
+Processing by Api::UserController#reauth as HTML
+  Parameters: {"uid"=>"a1s2d34574"}
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'a1s2d34574' LIMIT 1
+   (0.0ms)  begin transaction
+   (0.2ms)  UPDATE "users" SET "remotely_signed_out" = 't', "permissions" = '---
+- signin
+' WHERE "users"."id" = 5
+   (13.8ms)  commit transaction
+Completed 200 OK in 17.9ms (ActiveRecord: 14.2ms)
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 5]]
+   (0.1ms)  begin transaction
+  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d34826"]]
+   (12.4ms)  commit transaction
+   (0.0ms)  begin transaction
+  SQL (0.1ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d35052"]]
+   (23.7ms)  commit transaction
 Processing by Api::UserController#update as HTML
-  Parameters: {"uid"=>"a1s2d38535"}
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'a1s2d38535' LIMIT 1
+  Parameters: {"uid"=>"a1s2d34826"}
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'a1s2d34826' LIMIT 1
    (0.0ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "email" = 'user@domain.com', "name" = 'Joshua Marshall', "permissions" = '---
 - signin
 - new permission
-', "organisation_slug" = 'justice-league' WHERE "users"."id" = 3
-   (13.6ms)  commit transaction
-Completed 200 OK in 21.3ms (ActiveRecord: 14.0ms)
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 3]]
+', "organisation_slug" = 'justice-league' WHERE "users"."id" = 7
+   (11.1ms)  commit transaction
+Completed 200 OK in 14.9ms (ActiveRecord: 11.5ms)
+  User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 7]]
    (0.1ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d37830"]]
-   (12.2ms)  commit transaction
+  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d31326"]]
+   (12.4ms)  commit transaction
    (0.1ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d32204"]]
-   (10.5ms)  commit transaction
+  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d35875"]]
+   (11.9ms)  commit transaction
 WARNING: Can't mass-assign protected attributes: uid, name, permissions
-Processing by Api::UserController#reauth as HTML
-  Parameters: {"uid"=>"a1s2d37830"}
-Completed 403 Forbidden in 1.5ms (Views: 0.9ms | ActiveRecord: 0.0ms)
+Processing by Api::UserController#update as HTML
+  Parameters: {"uid"=>"a1s2d31326"}
+Completed 403 Forbidden in 1.4ms (Views: 0.9ms | ActiveRecord: 0.0ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:52 +0000
+Processing by ExampleController#restricted as JSON
+Completed   in 231.0ms
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:52 +0000
+Processing by ExampleController#restricted as JSON
+  User Load (0.3ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
+  User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."email" = 'test@example-client.com' LIMIT 1
    (0.1ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d31716"]]
-   (14.8ms)  commit transaction
+  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "test@example-client.com"], ["name", "Test User"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "integration-uid"]]
+   (13.4ms)  commit transaction
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
+   (0.0ms)  begin transaction
+   (0.2ms)  UPDATE "users" SET "permissions" = '---
+- signin
+' WHERE "users"."id" = 11
+   (10.9ms)  commit transaction
+  User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
+   (0.0ms)  begin transaction
+   (0.2ms)  UPDATE "users" SET "permissions" = '---
+- signin
+' WHERE "users"."id" = 11
+   (10.5ms)  commit transaction
+  User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
+   (0.0ms)  begin transaction
+   (0.2ms)  UPDATE "users" SET "permissions" = '---
+- signin
+' WHERE "users"."id" = 11
+   (11.9ms)  commit transaction
+   (0.0ms)  begin transaction
+   (0.1ms)  UPDATE "users" SET "remotely_signed_out" = 'f', "permissions" = '---
+- signin
+' WHERE "users"."id" = 11
+   (8.2ms)  commit transaction
+Completed 200 OK in 583.8ms (Views: 3.0ms | ActiveRecord: 56.9ms)
+Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-07-18 13:10:53 +0000
+Processing by ExampleController#this_requires_signin_permission as JSON
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
    (0.1ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d31621"]]
-   (12.3ms)  commit transaction
-Processing by Api::UserController#reauth as HTML
-  Parameters: {"uid"=>"nonexistent-user"}
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'nonexistent-user' LIMIT 1
-Completed 200 OK in 1.1ms (ActiveRecord: 0.2ms)
+   (0.2ms)  UPDATE "users" SET "permissions" = '---
+- signin
+' WHERE "users"."id" = 11
+   (10.0ms)  commit transaction
+  User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
    (0.0ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "old@domain.com"], ["name", "Moshua Jarshall"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "a1s2d3573"]]
-   (15.8ms)  commit transaction
-   (0.1ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "ssopushuser@legit.com"], ["name", "SSO Push user"], ["organisation_slug", nil], ["permissions", "---\n- signin\n- user_update_permission\n"], ["remotely_signed_out", nil], ["uid", "a1s2d35885"]]
-   (13.5ms)  commit transaction
-Processing by Api::UserController#reauth as HTML
-  Parameters: {"uid"=>"a1s2d3573"}
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'a1s2d3573' LIMIT 1
+   (0.1ms)  UPDATE "users" SET "permissions" = '---
+- signin
+' WHERE "users"."id" = 11
+   (10.6ms)  commit transaction
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
+   (0.0ms)  begin transaction
+   (0.1ms)  UPDATE "users" SET "permissions" = '---
+- signin
+' WHERE "users"."id" = 11
+   (9.4ms)  commit transaction
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
+   (0.1ms)  begin transaction
+   (0.1ms)  UPDATE "users" SET "permissions" = '---
+- signin
+' WHERE "users"."id" = 11
+   (9.4ms)  commit transaction
    (0.0ms)  begin transaction
-   (0.2ms)  UPDATE "users" SET "remotely_signed_out" = 't', "permissions" = '---
+   (0.1ms)  UPDATE "users" SET "permissions" = '---
 - signin
-' WHERE "users"."id" = 9
-   (13.3ms)  commit transaction
-Completed 200 OK in 16.6ms (ActiveRecord: 13.7ms)
-  User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 9]]
-Started GET "/" for 127.0.0.1 at 2014-05-28 10:01:15 +0000
+' WHERE "users"."id" = 11
+   (8.9ms)  commit transaction
+Completed 200 OK in 209.9ms (Views: 0.5ms | ActiveRecord: 49.9ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:53 +0000
+Processing by ExampleController#restricted as JSON
+Completed   in 22.9ms
+Started GET "/" for 127.0.0.1 at 2014-07-18 13:10:54 +0000
 Processing by ExampleController#index as HTML
-Completed 200 OK in 3.4ms (Views: 2.9ms | ActiveRecord: 0.0ms)
-Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-05-28 10:01:16 +0000
-Processing by ExampleController#this_requires_signin_permission as HTML
+Completed 200 OK in 0.8ms (Views: 0.4ms | ActiveRecord: 0.0ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:54 +0000
+Processing by ExampleController#restricted as HTML
 Authenticating with gds_sso strategy
-Completed   in 38.9ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-28 10:01:16 +0000
-Started GET "/auth/gds/callback?code=faf6aab82246cb23fef1879ead32e8505144ef734fb2432626a0667d3af46c76&state=0d6136bf4b8f56ea9bca777052b46067399c6d0703a7d78a" for 127.0.0.1 at 2014-05-28 10:01:17 +0000
+Completed   in 0.3ms
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-18 13:10:54 +0000
+Started GET "/auth/gds/callback?code=5975db777d300dea19d732e349a1e11f7a32642833159c9df9906db5ffb9baa2&state=f0484e1e5be76776d650d5e35cf7a598239a5b50461aa916" for 127.0.0.1 at 2014-07-18 13:10:55 +0000
 Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"faf6aab82246cb23fef1879ead32e8505144ef734fb2432626a0667d3af46c76", "state"=>"0d6136bf4b8f56ea9bca777052b46067399c6d0703a7d78a"}
+  Parameters: {"code"=>"5975db777d300dea19d732e349a1e11f7a32642833159c9df9906db5ffb9baa2", "state"=>"f0484e1e5be76776d650d5e35cf7a598239a5b50461aa916"}
 Authenticating with gds_sso strategy
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
-  User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."email" = 'test@example-client.com' LIMIT 1
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
    (0.1ms)  begin transaction
-  SQL (0.2ms)  INSERT INTO "users" ("email", "name", "organisation_slug", "permissions", "remotely_signed_out", "uid") VALUES (?, ?, ?, ?, ?, ?)  [["email", "test@example-client.com"], ["name", "Test User"], ["organisation_slug", nil], ["permissions", "---\n- signin\n"], ["remotely_signed_out", nil], ["uid", "integration-uid"]]
-   (21.7ms)  commit transaction
-   (0.1ms)  begin transaction
-   (0.2ms)  UPDATE "users" SET "remotely_signed_out" = 'f', "permissions" = '---
+   (0.2ms)  UPDATE "users" SET "permissions" = '---
+- signin
+' WHERE "users"."id" = 11
+   (9.1ms)  commit transaction
+   (0.0ms)  begin transaction
+   (0.1ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (13.8ms)  commit transaction
-Redirected to http://www.example-client.com/this_requires_signin_permission
-Completed 302 Found in 42.2ms (ActiveRecord: 36.3ms)
-Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-05-28 10:01:17 +0000
-Processing by ExampleController#this_requires_signin_permission as HTML
+   (10.0ms)  commit transaction
+Redirected to http://www.example-client.com/restricted
+Completed 302 Found in 24.6ms (ActiveRecord: 19.7ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:55 +0000
+Processing by ExampleController#restricted as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.8ms (Views: 0.4ms | ActiveRecord: 0.2ms)
-Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-05-28 10:01:17 +0000
-Processing by ExampleController#this_requires_signin_permission as HTML
+Completed 200 OK in 1.4ms (Views: 0.4ms | ActiveRecord: 0.2ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:55 +0000
+Processing by ExampleController#restricted as HTML
 Authenticating with gds_sso strategy
-Completed   in 0.2ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-28 10:01:17 +0000
-Started GET "/auth/gds/callback?code=29b5e159e6fb693ebc12b812a4565419724e8690ba041aedf91176d321b70320&state=6ced3aac4b4c56591263d743d0998eae8fb01fbcdd1473c4" for 127.0.0.1 at 2014-05-28 10:01:18 +0000
+Completed   in 0.3ms
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-18 13:10:55 +0000
+Started GET "/auth/gds/callback?code=5afbdc652a40e339df83fd3b72dd1e08ac20c9e65887be4a919fb40b4b7658b4&state=f850257ee9f2c743b5ea0ee0f0360b96158b629566127ccc" for 127.0.0.1 at 2014-07-18 13:10:55 +0000
 Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"29b5e159e6fb693ebc12b812a4565419724e8690ba041aedf91176d321b70320", "state"=>"6ced3aac4b4c56591263d743d0998eae8fb01fbcdd1473c4"}
+  Parameters: {"code"=>"5afbdc652a40e339df83fd3b72dd1e08ac20c9e65887be4a919fb40b4b7658b4", "state"=>"f850257ee9f2c743b5ea0ee0f0360b96158b629566127ccc"}
 Authenticating with gds_sso strategy
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
-   (0.0ms)  begin transaction
+   (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (15.1ms)  commit transaction
+   (11.7ms)  commit transaction
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (9.8ms)  commit transaction
-Redirected to http://www.example-client.com/this_requires_signin_permission
-Completed 302 Found in 29.9ms (ActiveRecord: 25.5ms)
-Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-05-28 10:01:18 +0000
-Processing by ExampleController#this_requires_signin_permission as HTML
+   (8.0ms)  commit transaction
+Redirected to http://www.example-client.com/restricted
+Completed 302 Found in 25.3ms (ActiveRecord: 20.4ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:55 +0000
+Processing by ExampleController#restricted as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.5ms (Views: 0.3ms | ActiveRecord: 0.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:18 +0000
+Completed 200 OK in 1.3ms (Views: 0.4ms | ActiveRecord: 0.2ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:55 +0000
 Processing by ExampleController#restricted as HTML
 Authenticating with gds_sso strategy
-Completed   in 0.6ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-28 10:01:18 +0000
-Started GET "/auth/gds/callback?code=395fdc86b83c4935e168b413a3f2f4f56214dc097f7cd0e2dd20d4b87ad57316&state=05f426033c7da87aac3fd1d66714bd72bb90a0f541feedab" for 127.0.0.1 at 2014-05-28 10:01:18 +0000
+Completed   in 0.2ms
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-18 13:10:55 +0000
+Started GET "/auth/gds/callback?code=e41b27b6bcd8d06e7f62f794a6254edcefe1463a770a5b048a3399da9b3d2456&state=f3c6d7b10c576e26ffcac9aa2e24a60fc0764fe6b5843d3f" for 127.0.0.1 at 2014-07-18 13:10:56 +0000
 Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"395fdc86b83c4935e168b413a3f2f4f56214dc097f7cd0e2dd20d4b87ad57316", "state"=>"05f426033c7da87aac3fd1d66714bd72bb90a0f541feedab"}
+  Parameters: {"code"=>"e41b27b6bcd8d06e7f62f794a6254edcefe1463a770a5b048a3399da9b3d2456", "state"=>"f3c6d7b10c576e26ffcac9aa2e24a60fc0764fe6b5843d3f"}
 Authenticating with gds_sso strategy
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
-   (0.1ms)  begin transaction
-   (0.2ms)  UPDATE "users" SET "permissions" = '---
+   (0.0ms)  begin transaction
+   (0.3ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (13.2ms)  commit transaction
+   (21.5ms)  commit transaction
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (12.7ms)  commit transaction
+   (14.7ms)  commit transaction
 Redirected to http://www.example-client.com/restricted
-Completed 302 Found in 32.2ms (ActiveRecord: 26.6ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:18 +0000
+Completed 302 Found in 68.1ms (ActiveRecord: 36.9ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:56 +0000
 Processing by ExampleController#restricted as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.7ms (Views: 0.4ms | ActiveRecord: 0.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:18 +0000
-Processing by ExampleController#restricted as HTML
+Completed 200 OK in 1.7ms (Views: 0.3ms | ActiveRecord: 0.2ms)
+Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-07-18 13:10:56 +0000
+Processing by ExampleController#this_requires_signin_permission as HTML
 Authenticating with gds_sso strategy
 Completed   in 0.3ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-28 10:01:18 +0000
-Started GET "/auth/gds/callback?code=287809a753f9fab30b73667a774f37a2cf7262312f41aecb9467052f2808769d&state=65566e10cd35a26c965c9b3260d3b111c952d6beea198613" for 127.0.0.1 at 2014-05-28 10:01:19 +0000
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-18 13:10:56 +0000
+Started GET "/auth/gds/callback?code=210b5d58b9ffe1bea1b9de5e2d153fd780f008363d642524024c378b62238e07&state=26b44a48b59d4ec1f55b4d079dcd744ffe007801fb59c273" for 127.0.0.1 at 2014-07-18 13:10:56 +0000
 Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"287809a753f9fab30b73667a774f37a2cf7262312f41aecb9467052f2808769d", "state"=>"65566e10cd35a26c965c9b3260d3b111c952d6beea198613"}
+  Parameters: {"code"=>"210b5d58b9ffe1bea1b9de5e2d153fd780f008363d642524024c378b62238e07", "state"=>"26b44a48b59d4ec1f55b4d079dcd744ffe007801fb59c273"}
 Authenticating with gds_sso strategy
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (11.0ms)  commit transaction
+   (10.3ms)  commit transaction
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (9.0ms)  commit transaction
-Redirected to http://www.example-client.com/restricted
-Completed 302 Found in 26.5ms (ActiveRecord: 20.8ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:19 +0000
-Processing by ExampleController#restricted as HTML
+   (8.9ms)  commit transaction
+Redirected to http://www.example-client.com/this_requires_signin_permission
+Completed 302 Found in 24.5ms (ActiveRecord: 19.8ms)
+Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-07-18 13:10:56 +0000
+Processing by ExampleController#this_requires_signin_permission as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.7ms (Views: 0.5ms | ActiveRecord: 0.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:19 +0000
-Processing by ExampleController#restricted as HTML
+Completed 200 OK in 1.7ms (Views: 0.4ms | ActiveRecord: 0.2ms)
+Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-07-18 13:10:56 +0000
+Processing by ExampleController#this_requires_signin_permission as HTML
 Authenticating with gds_sso strategy
 Completed   in 0.2ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-28 10:01:19 +0000
-Started GET "/auth/gds/callback?code=07998a069ae35cedf19d2ae351243b8852a5c1be8d02659290c0b411f9abd216&state=b7048d5a343fc6946e7fd6419d0b458e53890e0e1ed0fe3b" for 127.0.0.1 at 2014-05-28 10:01:19 +0000
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-18 13:10:56 +0000
+Started GET "/auth/gds/callback?code=a3b9018ca8bd15809018c13c3647e342178769d152181e7577286d8c69ccb98e&state=a53779c75892eac4775139c3bad3dc74c7df9965c47b22ee" for 127.0.0.1 at 2014-07-18 13:10:57 +0000
 Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"07998a069ae35cedf19d2ae351243b8852a5c1be8d02659290c0b411f9abd216", "state"=>"b7048d5a343fc6946e7fd6419d0b458e53890e0e1ed0fe3b"}
+  Parameters: {"code"=>"a3b9018ca8bd15809018c13c3647e342178769d152181e7577286d8c69ccb98e", "state"=>"a53779c75892eac4775139c3bad3dc74c7df9965c47b22ee"}
 Authenticating with gds_sso strategy
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
    (0.0ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (15.0ms)  commit transaction
+   (11.4ms)  commit transaction
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (12.2ms)  commit transaction
-Redirected to http://www.example-client.com/restricted
-Completed 302 Found in 32.3ms (ActiveRecord: 27.8ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:19 +0000
-Processing by ExampleController#restricted as HTML
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.5ms (Views: 0.3ms | ActiveRecord: 0.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:19 +0000
+   (6.4ms)  commit transaction
+Redirected to http://www.example-client.com/this_requires_signin_permission
+Completed 302 Found in 22.8ms (ActiveRecord: 18.5ms)
+Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-07-18 13:10:57 +0000
+Processing by ExampleController#this_requires_signin_permission as HTML
+  User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
+Completed 200 OK in 1.5ms (Views: 0.3ms | ActiveRecord: 0.1ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:57 +0000
 Processing by ExampleController#restricted as HTML
 Authenticating with gds_sso strategy
-Completed   in 0.4ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-28 10:01:19 +0000
-Started GET "/auth/gds/callback?code=3b6e908312a657f10f1707f88805d4b7f3ca33eed1692822ab5537384849292e&state=22c2ad34c40644a633fe408a01f949947306e62bfd39938c" for 127.0.0.1 at 2014-05-28 10:01:19 +0000
+Completed   in 0.3ms
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-18 13:10:57 +0000
+Started GET "/auth/gds/callback?code=f43f0a109a92ca6da4462731e056222aeb34085532afdc2dbbdeee8765b3bb1b&state=2b9882146c18215fb72946ccba69fbfec2f5c728e691eefa" for 127.0.0.1 at 2014-07-18 13:10:57 +0000
 Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"3b6e908312a657f10f1707f88805d4b7f3ca33eed1692822ab5537384849292e", "state"=>"22c2ad34c40644a633fe408a01f949947306e62bfd39938c"}
+  Parameters: {"code"=>"f43f0a109a92ca6da4462731e056222aeb34085532afdc2dbbdeee8765b3bb1b", "state"=>"2b9882146c18215fb72946ccba69fbfec2f5c728e691eefa"}
 Authenticating with gds_sso strategy
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (11.4ms)  commit transaction
+   (17.2ms)  commit transaction
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (13.6ms)  commit transaction
+   (7.8ms)  commit transaction
 Redirected to http://www.example-client.com/restricted
-Completed 302 Found in 31.1ms (ActiveRecord: 25.6ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:20 +0000
+Completed 302 Found in 30.9ms (ActiveRecord: 25.6ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:57 +0000
 Processing by ExampleController#restricted as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.6ms (Views: 0.4ms | ActiveRecord: 0.2ms)
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."email" = 'test@example-client.com' LIMIT 1
-   (0.1ms)  begin transaction
-   (0.2ms)  UPDATE "users" SET "remotely_signed_out" = 't', "permissions" = '---
-- signin
-' WHERE "users"."id" = 11
-   (16.4ms)  commit transaction
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:20 +0000
+Completed 200 OK in 1.7ms (Views: 0.4ms | ActiveRecord: 0.2ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-19 09:05:57 +0000
 Processing by ExampleController#restricted as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
+Completed 200 OK in 2.0ms (Views: 0.4ms | ActiveRecord: 0.2ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:58 +0000
+Processing by ExampleController#restricted as HTML
 Authenticating with gds_sso strategy
-Completed   in 1.2ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-28 10:01:20 +0000
-Started GET "/auth/gds/callback?code=59f3ff77264922e41505a1d74edf5086fb9c0ab0ce7eaeda35e3eb9c5e1d73f5&state=50445985dfd8188201ecf12097a6d45fd8b2fb4a1567d8a5" for 127.0.0.1 at 2014-05-28 10:01:20 +0000
+Completed   in 0.4ms
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-18 13:10:58 +0000
+Started GET "/auth/gds/callback?code=6e86a5ac211079540a91bd24d9e2d288bf63eca3eae8d673175e32e32e7f7130&state=9d588c1b54ad3155f986f4faaed309143cc4ccb34810385e" for 127.0.0.1 at 2014-07-18 13:10:58 +0000
 Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"59f3ff77264922e41505a1d74edf5086fb9c0ab0ce7eaeda35e3eb9c5e1d73f5", "state"=>"50445985dfd8188201ecf12097a6d45fd8b2fb4a1567d8a5"}
+  Parameters: {"code"=>"6e86a5ac211079540a91bd24d9e2d288bf63eca3eae8d673175e32e32e7f7130", "state"=>"9d588c1b54ad3155f986f4faaed309143cc4ccb34810385e"}
 Authenticating with gds_sso strategy
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
-   (0.0ms)  begin transaction
+   (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (17.5ms)  commit transaction
-   (0.1ms)  begin transaction
-   (0.2ms)  UPDATE "users" SET "remotely_signed_out" = 'f', "permissions" = '---
+   (11.8ms)  commit transaction
+   (0.0ms)  begin transaction
+   (0.1ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (15.5ms)  commit transaction
+   (12.0ms)  commit transaction
 Redirected to http://www.example-client.com/restricted
-Completed 302 Found in 39.0ms (ActiveRecord: 33.7ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:20 +0000
+Completed 302 Found in 28.9ms (ActiveRecord: 24.4ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:58 +0000
 Processing by ExampleController#restricted as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.4ms (Views: 0.3ms | ActiveRecord: 0.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:20 +0000
+Completed 200 OK in 1.4ms (Views: 0.4ms | ActiveRecord: 0.2ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-19 09:15:58 +0000
 Processing by ExampleController#restricted as HTML
 Authenticating with gds_sso strategy
 Completed   in 0.3ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-28 10:01:20 +0000
-Started GET "/auth/gds/callback?code=15a391624cbed2a7b33d9678b6534883c9fa02949bb1c08fde5cbccbc4eacee5&state=9d596518fffb5957e71141544b4f3252a3bc869f5e279de7" for 127.0.0.1 at 2014-05-28 10:01:20 +0000
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-19 09:15:58 +0000
+Started GET "/auth/gds/callback?code=1a3140979bcf7b3277dcf0246e252c3b07673b16c0960dc9fd11d5338079cd09&state=8abd43f4c4bf907ae34f3f3fc4b6e88f0dddc47b7304c202" for 127.0.0.1 at 2014-07-19 09:15:58 +0000
 Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"15a391624cbed2a7b33d9678b6534883c9fa02949bb1c08fde5cbccbc4eacee5", "state"=>"9d596518fffb5957e71141544b4f3252a3bc869f5e279de7"}
+  Parameters: {"code"=>"1a3140979bcf7b3277dcf0246e252c3b07673b16c0960dc9fd11d5338079cd09", "state"=>"8abd43f4c4bf907ae34f3f3fc4b6e88f0dddc47b7304c202"}
 Authenticating with gds_sso strategy
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (13.4ms)  commit transaction
+   (15.0ms)  commit transaction
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (16.3ms)  commit transaction
+   (11.3ms)  commit transaction
 Redirected to http://www.example-client.com/restricted
-Completed 302 Found in 35.5ms (ActiveRecord: 30.3ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:20 +0000
+Completed 302 Found in 31.0ms (ActiveRecord: 26.9ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-19 09:15:58 +0000
 Processing by ExampleController#restricted as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.6ms (Views: 0.4ms | ActiveRecord: 0.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-29 06:06:20 +0000
+Completed 200 OK in 1.2ms (Views: 0.2ms | ActiveRecord: 0.2ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:58 +0000
 Processing by ExampleController#restricted as HTML
 Authenticating with gds_sso strategy
-Completed   in 0.4ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-29 06:06:20 +0000
-Started GET "/auth/gds/callback?code=d6c80119d54145028f227274fa51d0be7788905b5790e0e026c6d302cb055057&state=cfcca15c646ccb5a2b880827fde549c146abf61232b26b77" for 127.0.0.1 at 2014-05-29 06:06:20 +0000
+Completed   in 0.3ms
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-18 13:10:58 +0000
+Started GET "/auth/gds/callback?code=03ef9abbd28b603a14ae6a14831ed972f90eee81c8b20b544aede2bd0aadb37c&state=61f2c111d40be99abb1c0fb13cf6da10cdeff618b7847110" for 127.0.0.1 at 2014-07-18 13:10:59 +0000
 Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"d6c80119d54145028f227274fa51d0be7788905b5790e0e026c6d302cb055057", "state"=>"cfcca15c646ccb5a2b880827fde549c146abf61232b26b77"}
+  Parameters: {"code"=>"03ef9abbd28b603a14ae6a14831ed972f90eee81c8b20b544aede2bd0aadb37c", "state"=>"61f2c111d40be99abb1c0fb13cf6da10cdeff618b7847110"}
 Authenticating with gds_sso strategy
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
+  User Load (0.3ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (10.3ms)  commit transaction
+   (15.6ms)  commit transaction
    (0.1ms)  begin transaction
-   (0.1ms)  UPDATE "users" SET "permissions" = '---
+   (0.3ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (12.6ms)  commit transaction
+   (11.1ms)  commit transaction
 Redirected to http://www.example-client.com/restricted
-Completed 302 Found in 27.3ms (ActiveRecord: 23.5ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-29 06:06:21 +0000
+Completed 302 Found in 59.3ms (ActiveRecord: 27.6ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:59 +0000
 Processing by ExampleController#restricted as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.3ms (Views: 0.2ms | ActiveRecord: 0.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:21 +0000
-Processing by ExampleController#restricted as HTML
-Authenticating with gds_sso strategy
-Completed   in 0.4ms
-Started GET "/auth/gds" for 127.0.0.1 at 2014-05-28 10:01:21 +0000
-Started GET "/auth/gds/callback?code=bab47efe786ae1e03f7b8d1d151976af33314e80eb553d5fbd313d66f6d55406&state=88b33e9f9c7d2f5a6259251aea3570197a7dc407d8421f02" for 127.0.0.1 at 2014-05-28 10:01:21 +0000
-Processing by AuthenticationsController#callback as HTML
-  Parameters: {"code"=>"bab47efe786ae1e03f7b8d1d151976af33314e80eb553d5fbd313d66f6d55406", "state"=>"88b33e9f9c7d2f5a6259251aea3570197a7dc407d8421f02"}
-Authenticating with gds_sso strategy
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
+Completed 200 OK in 1.9ms (Views: 0.4ms | ActiveRecord: 0.2ms)
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."email" = 'test@example-client.com' LIMIT 1
    (0.1ms)  begin transaction
-   (0.2ms)  UPDATE "users" SET "permissions" = '---
+   (0.2ms)  UPDATE "users" SET "remotely_signed_out" = 't', "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (12.9ms)  commit transaction
-   (0.0ms)  begin transaction
-   (0.1ms)  UPDATE "users" SET "permissions" = '---
-- signin
-' WHERE "users"."id" = 11
-   (11.6ms)  commit transaction
-Redirected to http://www.example-client.com/restricted
-Completed 302 Found in 30.4ms (ActiveRecord: 25.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:21 +0000
-Processing by ExampleController#restricted as HTML
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.9ms (Views: 0.5ms | ActiveRecord: 0.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-29 05:56:21 +0000
+   (8.8ms)  commit transaction
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:59 +0000
 Processing by ExampleController#restricted as HTML
   User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
-Completed 200 OK in 1.1ms (Views: 0.2ms | ActiveRecord: 0.2ms)
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:21 +0000
-Processing by ExampleController#restricted as JSON
-Authenticating with gds_bearer_token strategy
-Completed   in 8.6ms
-Started GET "/restricted" for 127.0.0.1 at 2014-05-28 10:01:21 +0000
-Processing by ExampleController#restricted as JSON
-Authenticating with gds_bearer_token strategy
-  User Load (0.3ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
+Authenticating with gds_sso strategy
+Completed   in 1.1ms
+Started GET "/auth/gds" for 127.0.0.1 at 2014-07-18 13:10:59 +0000
+Started GET "/auth/gds/callback?code=979607bcfbbc1794b923fa73d6fe319dd1be0bfc02086a961188b1de669bb8ff&state=ba10cbc1d53771830df04cb8d9cd264be7a05c80d204777c" for 127.0.0.1 at 2014-07-18 13:10:59 +0000
+Processing by AuthenticationsController#callback as HTML
+  Parameters: {"code"=>"979607bcfbbc1794b923fa73d6fe319dd1be0bfc02086a961188b1de669bb8ff", "state"=>"ba10cbc1d53771830df04cb8d9cd264be7a05c80d204777c"}
+Authenticating with gds_sso strategy
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
    (0.1ms)  begin transaction
    (0.2ms)  UPDATE "users" SET "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (25.0ms)  commit transaction
-   (0.1ms)  begin transaction
-   (0.3ms)  UPDATE "users" SET "permissions" = '---
-- signin
-' WHERE "users"."id" = 11
-   (32.0ms)  commit transaction
-Completed 200 OK in 215.4ms (Views: 0.6ms | ActiveRecord: 58.0ms)
-Started GET "/this_requires_signin_permission" for 127.0.0.1 at 2014-05-28 10:01:22 +0000
-Processing by ExampleController#this_requires_signin_permission as JSON
-Authenticating with gds_bearer_token strategy
-  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' LIMIT 1
-   (0.1ms)  begin transaction
-   (0.2ms)  UPDATE "users" SET "permissions" = '---
+   (13.3ms)  commit transaction
+   (0.0ms)  begin transaction
+   (0.2ms)  UPDATE "users" SET "remotely_signed_out" = 'f', "permissions" = '---
 - signin
 ' WHERE "users"."id" = 11
-   (20.9ms)  commit transaction
-   (0.1ms)  begin transaction
-   (0.2ms)  UPDATE "users" SET "permissions" = '---
-- signin
-' WHERE "users"."id" = 11
-   (11.1ms)  commit transaction
-Completed 200 OK in 91.1ms (Views: 0.5ms | ActiveRecord: 32.6ms)
+   (15.2ms)  commit transaction
+Redirected to http://www.example-client.com/restricted
+Completed 302 Found in 34.0ms (ActiveRecord: 29.2ms)
+Started GET "/restricted" for 127.0.0.1 at 2014-07-18 13:10:59 +0000
+Processing by ExampleController#restricted as HTML
+  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."uid" = 'integration-uid' AND "users"."remotely_signed_out" = 'f' LIMIT 1
+Completed 200 OK in 1.5ms (Views: 0.3ms | ActiveRecord: 0.2ms)