elsa-core
elsa-core copied to clipboard
elsa-workflows
Authentication & Authorization support
Similar to the way Authorization Policies work with MVC, the various middlewares & HTTP endpoints should be updated to leverage the Policy API as well.
For example, the GraphQL endpoint should honor authorization policies.
You can enable authorization the same way you would do for any other ASP.NET Core MVC application - just add the necessary services & middleware as described in the ASP.NET Core documentation.
Elsa Dashboard currently does not provide any means to register and authenticate users, so for now this is something you would have to build yourself.
However, I do want to provide a complete Dashboard experience out of the box that includes user registration & authentication. For that, I am in the process of re-implementing the dashboard using Orchard Core, by simply creating an Elsa Orchard Core module. The admin application experience is then provided by Orchard Core. Which also means it's easy to extend the application with your own modules.
You can follow progress of that effort here if you like.
@kinglionsoft Good question. Will need to think about that. In any case, we need the user to be able to generate a security (SAS) token like we do in Orchard Core's workflows module.
@sfmskywalker - how does this issue now relate to #705 ? Is it that this one is Auth in general, across all of Elsa, and #705 is specific only to HTTP Endpoint activities?
I'm guessing you don't see them as dupes, because you haven't closed as such :thinking:
Indeed I think of this ticket and the other one as different in scope and context.
The scope of this issue is about configuring auth at the middleware level to protect the API endpoints.
The solution we’ll come up with might be suitable also for protecting the HttpEndpoint activity, but I think of #705 as scoped exclusively to that activity, enabling non-devs to create and expose workflows as protected http endpoints.
My searching skills are failing me, but I cannot find anything on authorization outside of all the questions about httpactivity authorization. I want to add authorization so that no one can whimsically delete or even create workflows. How would I inject my own authorization policy to ensure that I control the security for all of the elsa server endpoints?
That's not you, it's us; we don't have proper documentation on implementing authorization as of yet. Last week I did do a small demo during the weekly community meeting about a new plugin called Auth0 and showed how to secure API endpoints and let the user login with Auth0 from the dashboard, but we also need to write it up.
Of course, you may not be using Auth0, so you might need to write a custom dashboard plugin. In addition to the Auth0 plugin we have today, we discussed adding a more generic version that supports any OpenID connect identity provider.
Until then, the best I can suggest right now is to take a look at the Auth0 sample project and create your own dashboard plugin (perhaps starting with a copy of the auth0 dashboard plugin).
To learn more about writing custom plugins, please visit this page.
I actually am using Auth0. I'll check out the community meeting. Thanks for everything!
You can enable authorization the same way you would do for any other ASP.NET Core MVC application - just add the necessary services & middleware as described in the ASP.NET Core documentation.
Elsa Dashboard currently does not provide any means to register and authenticate users, so for now this is something you would have to build yourself.
However, I do want to provide a complete Dashboard experience out of the box that includes user registration & authentication. For that, I am in the process of re-implementing the dashboard using Orchard Core, by simply creating an Elsa Orchard Core module. The admin application experience is then provided by Orchard Core. Which also means it's easy to extend the application with your own modules.
You can follow progress of that effort here if you like.
Is this still in progress?
Yes but not currently actively worked on. My current focus lies with Elsa 3. Which, by the way, comes with a login screen out of the box. Once V3 stabilizes, I’d like to revisit the Orchard integration.