-
Notifications
You must be signed in to change notification settings - Fork 558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implement custom resolvers for custom auth over oauth2 #11053
base: master
Are you sure you want to change the base?
Conversation
Thanks @Aiosa ! Let's discuss if an alternative is to use keycloak as a middleman instead and manage custom resolvers there: https://www.keycloak.org/docs/latest/server_development/index.html#_providers |
That indeed is a possible solution (at least not really looking into details). Of course cbioportal cannot support all the authentication designs out there, but so cannot keycloak.
The idea is that cbioportal implements the same logics as before, but in a way that someone can add custom resolver and compile own image. The same logics as keycloak supports I believe. I would like to avoid dealing with keycloak, since it makes things harder to manage - unclear sources of auth errors, at least two more containers to run, unclear design (confusing for newcomers), bad user experience (some apps use lsaai, some keycloak, I cannot change every service we run just because of cbioportal), ... |
I have tested this implementation with a private study, mapping OIDC provider user groups to the study user groups, and it works. |
@inodb I could also add some 'generic OIDC' resolver implementation configurable enough so that people can use it without compilation requirements.... would that be desirable? That would not be really a 'custom resolver'. If no, I would remove the LSAAI implementation from this PR and make it ready for further steps? |
…send acr_values to the oidc request
I added docs, removed the irrelevant implementation of my own security repository, and also added ability to configure oidc with acr_values query. This, together with the repository, can implement the MFA authentication as well - you provide in properties file custom acr string, and later verify in a custom security repository, that the token contains what you expect. The only thing I did not manage was to add ability to provide a MAP as a param to be more general, now it is implemented only for acr_values field. Example of doing MFA with the current approach:
Later in custom repository:
|
Resolves #11052
Describe changes proposed in this pull request:
SecurityMapper
no longer retrieves study groups, these have their own mapperSecurityRepository
now is parametrized by another generic object, that is given by the auth configuration to the repository if used. Such repository then decides whether it is able to be used in the current context. Newly, repository can be switched between withsecurity.repository.type
:SecurityMyBatisRepository
FullAccessResolver
There is included a
LsaaiOauth2DrivenResolver
that demonstrates the usage; I would like to remove this implementation as it is specially designed to work for my usecase. It can be used like this:I would like a discussion on whether this is a good design, or whether there are some issues (interaction with different flows, usage in different scenarios, over-complexity due the need to compile / build images yourself...). But IMHO this is a crucial feature if this app should be used in production systems - being able to customize authentication and authorization to your needs.
No new tests are necessary since this PR just modularizes the current behavior, so the current test suite should be sufficient.
Background Info
Checks