Skip to content

Draft: POC: Detecting roles with help of the authentication backend

Mizzi van der Ven requested to merge 49-be-poc-jwks-claims-presets-backend into main

Closes #49 (closed)

Uses: auth-backend!2 (merged)

In this MR

  • POC of determining roles while authenticating a user
  • Foreseen use-case: in future, certain users (administrators) should be allowed to create/edit/delete "system presets" aka presets that are visible for ALL users. Non-admin users can only create USER presets
  • This version of the auth-backend allows for a variable GEOWEB_ROLE_CLAIM. Here a check can be specified that a user belongs to a certain "admin" group. If the user belongs to the admin group, they get assigned a role "admin". Otherwise, the role will be "user".
  • In this example, a check is done is a user is part of the gitlab group "opengeoweb/internal".
  • A future use-case could be to create a group "opengeoweb/admins", so that a check can be done if a user is part of the admin group.
  • In this example, the found role is set as a response header. The purpose of this was to make it easy to check if the username & role are retrieved correctly. While interacting with the BE from a connected FE, you can verify the correct username and role in the network panel.
    • The header is thus not meant to stay, just to show here as POC
  • If this POC is accepted and further developed, the role can be used to check if a certain user can create/edit/delete a "system"

How to test

  • Build this version locally with docker-compose and connect with local FE
  • Important: use the examples for the .env file and config.json file below!!
  • Interact with the backend and open your network panel
  • In the response headers section you should see a header Geoweb-Role-POC with a value "admin" or "user"
  • In the logs it should say "Admin user detected" in case an admin user interacts with the BE
    • Check the logs of the "presets-backend" container with docker logs -f presets-backend
    • You could also check the logs in the auth container with docker logs -f nginx-presets-backend.
  • In this branch, assumption is made that gitlab authentication is used. It checks if users are part of the group opengeoweb/internal to check if the user is an admin. I think most developers, POs and DEs are part of this group, so everyone should be able to see an admin role

Use the following .env file:

ENABLE_SSL=TRUE
BACKEND_PORT=4443
BACKEND_PORT_HTTP=80
EXTERNALADDRESS=https://localhost:4443/
OAUTH2_USERINFO=https://gitlab.com/oauth/userinfo
VERSION=1.0.0
DEPLOY_ENVIRONMENT="open"
GEOWEB_USERNAME_CLAIM="email"
GEOWEB_ROLE_CLAIM='groups=opengeoweb/internal'

And make sure the following is set in your FE config URL:

"GW_AUTH_CLIENT_ID": "65f460102bad674857d73c8b788076b6484d25aa6bf876f054d08c52b5040300",
"GW_AUTH_LOGIN_URL": "https://gitlab.com/oauth/authorize?client_id={client_id}&response_type=code&scope=email+openid&redirect_uri={app_url}/code&state={state}&code_challenge={code_challenge}&code_challenge_method=S256",
"GW_AUTH_LOGOUT_URL": "{app_url}",
"GW_AUTH_TOKEN_URL": "https://gitlab.com/oauth/token",
"GW_PRESET_BACKEND_URL": "http://localhost:4443/"
Edited by Mizzi van der Ven

Merge request reports