-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1316: Adds document describing both frontend and backend auth setup #742
base: main
Are you sure you want to change the base?
Conversation
|
||
NEXTAUTH_PROVIDER_ID="keycloak" // String identifying the OIDC provider | ||
NEXTAUTH_PROVIDER_NAME="Keycloak" // The name of the OIDC provider. Keycloak uses this name to display in the login screen | ||
NEXTAUTH_AUTHORIZATION_SCOPE_OVERRIDE="openid profile" // Optional override of the scopes that are asked permission for from the OIDC provider |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After inspecting some decoded tokens: I have an mental concept of scopes and OIDC. I know that it is a difficult topic. Suggestion add an example decoded token so readers have an idea of stuff that can be seen inside the token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mwa.. doesn't that go a bit far for in this place?
002bd3a
to
cf38828
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #742 +/- ##
=======================================
Coverage 83.43% 83.43%
=======================================
Files 188 188
Lines 9287 9287
Branches 1523 1523
=======================================
Hits 7749 7749
Misses 1274 1274
Partials 264 264
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
||
## Without authentication | ||
|
||
Without authentication WFO allows all users access to all resources. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't want to make it complex, but people should know that with front-end enabled authentication, we can still have the backend without auth enabled, not the other way around.
so the momen you enable authNZ in the backend you have to enable authNZ in front as well
OPA_URL: str = "" | ||
``` | ||
|
||
With the variables provided requests to endpoints will return 403 errorcodes for users that are not logged in and 401 error codes for users that are not authorized for a call or part of a call |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the variables provided, requests to endpoints will return a 403 error for users who are not logged in, and a 401 error for users who are not authorized for the request or part of the request. (GraphQL for example)
|
||
`authentication`: Method that implements returning the OIDC user from the OIDC introspection endpoint | ||
|
||
`authorization`: Method that applies OPA decisions to HTTP requests for authorization. Uses OAUTH2 settings and request information to authorize actions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A method that applies authorization decisions (e.g. OPA decisions) to HTTP requests and the decision is either true or false (Allow/Forbidden). Uses OAUTH2 settings and requests information to authorize actions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You know I have a doubt here because I believe not all people use OPA for authorization.,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
async def is_bypassable_request(request: Request) -> bool:
return _CALLBACK_STEP_API_URL_PATTERN = re.compile(
r"^/api/processes/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})"
r"/callback/([0-9a-zA-Z\-_]+)$"
)
|
||
`authentication`: Method that implements returning the OIDC user from the OIDC introspection endpoint | ||
|
||
`authorization`: Method that applies OPA decisions to HTTP requests for authorization. Uses OAUTH2 settings and request information to authorize actions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
async def is_bypassable_request(request: Request) -> bool:
return _CALLBACK_STEP_API_URL_PATTERN = re.compile(
r"^/api/processes/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})"
r"/callback/([0-9a-zA-Z\-_]+)$"
)
``` | ||
|
||
Note: | ||
During app initialization a **is_bypassable_request** method can be passed into the app that receives the Request object |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here we can say for example for interacting with LSO and the callback step you can bypass the request since authentication happens in the callback step API itself and no need here.
Docs