1316: Adds document describing both frontend and backend auth setup #742
Conversation
|
|
||
| NEXTAUTH_PROVIDER_ID="keycloak" // String identifying the OIDC provider | ||
| NEXTAUTH_PROVIDER_NAME="Keycloak" // The name of the OIDC provider. Keycloak uses this name to display in the login screen | ||
| NEXTAUTH_AUTHORIZATION_SCOPE_OVERRIDE="openid profile" // Optional override of the scopes that are asked permission for from the OIDC provider |
There was a problem hiding this comment.
After inspecting some decoded tokens: I have an mental concept of scopes and OIDC. I know that it is a difficult topic. Suggestion add an example decoded token so readers have an idea of stuff that can be seen inside the token.
There was a problem hiding this comment.
Mwa.. doesn't that go a bit far for in this place?
DutchBen
force-pushed
the
1316-auth-docs
branch
from
002bd3a
to
cf38828
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #742 +/- ##
=======================================
Coverage 83.43% 83.43%
=======================================
Files 188 188
Lines 9287 9287
Branches 1523 1523
=======================================
Hits 7749 7749
Misses 1274 1274
Partials 264 264
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
|
||
| ## Without authentication | ||
|
|
||
| Without authentication WFO allows all users access to all resources. |
There was a problem hiding this comment.
I don't want to make it complex, but people should know that with front-end enabled authentication, we can still have the backend without auth enabled, not the other way around.
so the momen you enable authNZ in the backend you have to enable authNZ in front as well
| OPA_URL: str = "" | ||
| ``` | ||
|
|
||
| With the variables provided requests to endpoints will return 403 errorcodes for users that are not logged in and 401 error codes for users that are not authorized for a call or part of a call |
There was a problem hiding this comment.
With the variables provided, requests to endpoints will return a 403 error for users who are not logged in, and a 401 error for users who are not authorized for the request or part of the request. (GraphQL for example)
|
|
||
| `authentication`: Method that implements returning the OIDC user from the OIDC introspection endpoint | ||
|
|
||
| `authorization`: Method that applies OPA decisions to HTTP requests for authorization. Uses OAUTH2 settings and request information to authorize actions. |
There was a problem hiding this comment.
A method that applies authorization decisions (e.g. OPA decisions) to HTTP requests and the decision is either true or false (Allow/Forbidden). Uses OAUTH2 settings and requests information to authorize actions.
There was a problem hiding this comment.
You know I have a doubt here because I believe not all people use OPA for authorization.,
There was a problem hiding this comment.
async def is_bypassable_request(request: Request) -> bool:
return _CALLBACK_STEP_API_URL_PATTERN = re.compile(
r"^/api/processes/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})"
r"/callback/([0-9a-zA-Z\-_]+)$"
)
|
|
||
| `authentication`: Method that implements returning the OIDC user from the OIDC introspection endpoint | ||
|
|
||
| `authorization`: Method that applies OPA decisions to HTTP requests for authorization. Uses OAUTH2 settings and request information to authorize actions. |
There was a problem hiding this comment.
async def is_bypassable_request(request: Request) -> bool:
return _CALLBACK_STEP_API_URL_PATTERN = re.compile(
r"^/api/processes/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})"
r"/callback/([0-9a-zA-Z\-_]+)$"
)| ``` | ||
|
|
||
| Note: | ||
| During app initialization a **is_bypassable_request** method can be passed into the app that receives the Request object |
There was a problem hiding this comment.
here we can say for example for interacting with LSO and the callback step you can bypass the request since authentication happens in the callback step API itself and no need here.
Docs