Draft: POC: Detecting roles with help of the authentication backend
Closes #49 (closed)
Uses: auth-backend!2 (merged)
In this MR
- POC of determining roles while authenticating a user
- Foreseen use-case: in future, certain users (administrators) should be allowed to create/edit/delete "system presets" aka presets that are visible for ALL users. Non-admin users can only create USER presets
- This version of the auth-backend allows for a variable
GEOWEB_ROLE_CLAIM
. Here a check can be specified that a user belongs to a certain "admin" group. If the user belongs to the admin group, they get assigned a role "admin". Otherwise, the role will be "user". - In this example, a check is done is a user is part of the gitlab group "opengeoweb/internal".
- A future use-case could be to create a group "opengeoweb/admins", so that a check can be done if a user is part of the admin group.
-
In this example, the found role is set as a response header. The purpose of this was to make it easy to check if the username & role are retrieved correctly. While interacting with the BE from a connected FE, you can verify the correct username and role in the network panel.
- The header is thus not meant to stay, just to show here as POC
- If this POC is accepted and further developed, the role can be used to check if a certain user can create/edit/delete a "system"
How to test
- Build this version locally with docker-compose and connect with local FE
- Important: use the examples for the .env file and config.json file below!!
- Interact with the backend and open your network panel
- In the response headers section you should see a header
Geoweb-Role-POC
with a value "admin" or "user" - In the logs it should say "Admin user detected" in case an admin user interacts with the BE
- Check the logs of the "presets-backend" container with
docker logs -f presets-backend
- You could also check the logs in the auth container with
docker logs -f nginx-presets-backend
.
- Check the logs of the "presets-backend" container with
- In this branch, assumption is made that gitlab authentication is used. It checks if users are part of the group
opengeoweb/internal
to check if the user is an admin. I think most developers, POs and DEs are part of this group, so everyone should be able to see an admin role
Use the following .env
file:
ENABLE_SSL=TRUE
BACKEND_PORT=4443
BACKEND_PORT_HTTP=80
EXTERNALADDRESS=https://localhost:4443/
OAUTH2_USERINFO=https://gitlab.com/oauth/userinfo
VERSION=1.0.0
DEPLOY_ENVIRONMENT="open"
GEOWEB_USERNAME_CLAIM="email"
GEOWEB_ROLE_CLAIM='groups=opengeoweb/internal'
And make sure the following is set in your FE config URL:
"GW_AUTH_CLIENT_ID": "65f460102bad674857d73c8b788076b6484d25aa6bf876f054d08c52b5040300",
"GW_AUTH_LOGIN_URL": "https://gitlab.com/oauth/authorize?client_id={client_id}&response_type=code&scope=email+openid&redirect_uri={app_url}/code&state={state}&code_challenge={code_challenge}&code_challenge_method=S256",
"GW_AUTH_LOGOUT_URL": "{app_url}",
"GW_AUTH_TOKEN_URL": "https://gitlab.com/oauth/token",
"GW_PRESET_BACKEND_URL": "http://localhost:4443/"
Edited by Mizzi van der Ven