Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contexture security #147

Merged
merged 4 commits into from
Dec 7, 2023
Merged

Contexture security #147

merged 4 commits into from
Dec 7, 2023

Conversation

K-Dud
Copy link
Contributor

@K-Dud K-Dud commented Nov 16, 2023
edited
Loading

This PR introduces Security module for Contexture API.
There are 2 built in policies

  • GetDataPolicy applies to GET /api/* routes
  • ModifyDataPolicy applies to all PUT/POST/PATCH/DELETE /api/* routes

And 2 supported authentication schemes

  • OIDC when accessing frontend routes authentication scheme is challenged to support user login flow
  • Bearer

Example configuration using OIDC scheme

"Security":{
        "Authentication":{
            "OIDC":{
                "Authority": "http://idp/auth/realms/contexture/",
                "ClientId": "contexture-app",
                "ClientSecret": "optional",
                "CookieName": "optional"
              }
        },
        "Authorization": {
            "ModifyData": {
                "RequiredClaims": [
                    {
                        "ClaimType": "contexture-app-role",
                        "AllowedValues": [
                            "modify-data"
                        ]
                    }
                ]
            },
            "GetData": {
                "RequiredClaims": [
                    {
                        "ClaimType": "contexture-app-role",
                        "AllowedValues": [
                            "view-data"
                        ]
                    }
                ]
            }
        }
    }

Example configuration using Bearer scheme

"Security":{
        "Authentication":{
           "Bearer": {
              "IssuerSigningKey": "6e5ee162-d6a0-40cf-a8cc-c4a60f8d2587"
            }
        },
        "Authorization": {
            "ModifyData": {
                "RequiredClaims": [
                    {
                        "ClaimType": "contexture-app-role",
                        "AllowedValues": [
                            "modify-data"
                        ]
                    }
                ]
            },
            "GetData": {
                "RequiredClaims": [
                    {
                        "ClaimType": "contexture-app-role",
                        "AllowedValues": [
                            "view-data"
                        ]
                    }
                ]
            }
        }
    }

When no security configuration is specified the security module is Disabled
When one of policy configurations is omitted the default is to always allow access

TODO:

  • consider token validation: validating issuer, audience, signature etc
  • consider supporting other built in authorization requirements: RequiresRole, RequiresUserName, RequireAuthenticatedUser
  • Update README.md

@K-Dud K-Dud changed the title Claim based authorization with jwt bearer scheme Contexture security Nov 30, 2023
@K-Dud K-Dud merged commit 5fcab5a into main Dec 7, 2023
4 checks passed
@K-Dud K-Dud deleted the feature/api-auth branch December 7, 2023 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jotaesteves jotaesteves jotaesteves approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@K-Dud @jotaesteves