cbioportal icon indicating copy to clipboard operation
cbioportal copied to clipboard

Published 20 hours ago verified publisher icon cBioPortal

Custom OAuth2 Authroziation Hardcoded in Database

Open Aiosa opened this issue 4 months ago • 1 comments

V6 brings support for custom OAuth2 flows. However, one still needs to manage database of users & their access rights. However, such data can be driven dynamically by external services, which is desirable in any bigger project where multiple such apps live together.

See CustomOAuth2AuthorizationConfig:

        var authenticatedPortalUser = loadPortalUser(oidcUser.getEmail(), oidcUser);   // fetches user from cbio DB based on email entry
        if (Objects.isNull(authenticatedPortalUser.cbioUser) || !authenticatedPortalUser.cbioUser.isEnabled()) {
            log.error("User: {} either not in db or not authorized", oidcUser.getEmail());
            throw new OAuth2AuthenticationException("user not authorized");              // throws error even if the user was sucessfully authenticated
        }
        ...

A desirable way of doing this would be an ability to provide custom logics for the authentication and authorization resolution.

Aiosa avatar Oct 08 '24 15:10 Aiosa