Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve documentation for CompositeProviderFlag #6173

Closed
trentjeff opened this issue Feb 13, 2023 · 0 comments
Closed

Improve documentation for CompositeProviderFlag #6173

trentjeff opened this issue Feb 13, 2023 · 0 comments
Assignees
@Verdent @tomas-langer @ljamen
Labels
4.x Version 4.x docs P2

Comments

@trentjeff
Copy link
Member

trentjeff commented Feb 13, 2023
edited by barchetta
Loading

The javadoc https://helidon.io/docs/v2/apidocs/io.helidon.security/io/helidon/security/CompositeProviderFlag offers very little guidance in helping users choose the appropriate configuration when composite providers are configured.

One recent question from slack has the user configuring two providers: (1) OID, with a fallback of (@) Basic-Auth. The user was configuring both providers as "MAY_FAIL". However, the appropriate configuration should be having both configured as "SUFFICIENT" with optional flag set to true.

This configuration, however, is entirely not obvious from reading the documentation. We should therefore improve the documentation - probably by providing examples for when/how it is appropriate for using compositions that include MAY_FAIL, SUFFICIENT, and optional=true - as well as the other flags available.

Also related to this is considering how the OID provider was not available due to a network outage (or perhaps a 404). We should also mention this case in particular to indicate something like "a failure to reach the security provider" will be treated as a failure, etc.

bad:

security:
  enabled: true
  provider-policy:
    type: "COMPOSITE"
    name: "composite-policy"
    default: true
    authentication:
      - name: "basic-authenticator"
        flag: "MAY_FAIL"
      - name: "oidc-authenticator"
        flag: "MAY_FAIL"
  providers:
  - name: "basic-authenticator"
    http-basic-auth:
      realm: "helidon"
      users:
      - login: "uimuser"
        password: "changeit"
  - name: "oidc-authenticator"
    oidc:
      identity-uri: "http://ohs1.oamdomain.org:30305"
      base-scopes: "FedRserver.Info"
      client-id: topologyClient
      client-secret: Welcome1
      token-endpoint-auth: CLIENT_SECRET_POST
      cookie-name: "OIDC_SESSION"
      cookie-same-site: "Lax"
      header-use: true
      audience: "FedRserver"
      redirect: true
      redirect-uri: "/sr/test/sol005Adapter"

Good (partially; needs optional: true for oidc):

security:
  enabled: true
  provider-policy:
    type: "COMPOSITE"
    name: "composite-policy"
    default: true
    authentication:
      - name: "basic-authenticator"
        flag: "SUFFICIENT"
      - name: "oidc-authenticator"
        flag: "SUFFICIENT"
@trentjeff trentjeff added docs 2.x Issues for 2.x version branch 3.x Issues for 3.x version branch labels Feb 13, 2023
@barchetta barchetta added the P2 label Feb 23, 2023
@tomas-langer tomas-langer mentioned this issue Apr 12, 2023
Merged
@tomas-langer tomas-langer added 4.x Version 4.x and removed 2.x Issues for 2.x version branch 3.x Issues for 3.x version branch labels Apr 12, 2023
This was referenced Apr 12, 2023
Closed
Closed
@m0mus m0mus added this to Backlog Aug 12, 2024
@m0mus m0mus moved this to Closed in Backlog Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Verdent Verdent

@tomas-langer tomas-langer

@ljamen ljamen

Labels
4.x Version 4.x docs P2
Projects
Backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Verdent @barchetta @tomas-langer @ljamen @trentjeff