inspectit-ocelot icon indicating copy to clipboard operation
inspectit-ocelot copied to clipboard

Published 20 hours ago verified publisher icon inspectIT

Closes #602 - Option to use pre authentication on the configuration se…

Open ivansenic opened this issue 5 years ago • 0 comments

So many things to discuss:

  • First, there is security config switch now, if proxy auth is enabled, most of the existing stuff is dismissed:
    • There is only pre authentication, so no token, basic, ldap.. This is fine imo and has to be like this..
    • However if ldap is active we would use ldap to still retrieve the details about the user, thus correctly resolve the roles..
    • Some config is shared and this is extracted into a super class
  • Works as simple as sending the username in the header, from there on we consult the active user service to resolve if user exists and what are his roles & grants..
  • It works only if the username is passed to the existing user of course..

From the UI point (did not touch a thing until we agree):

  • Login form is not needed any more when the auth proxy is on
    • So what we can do is try to fetch the token when the login form is shown in order to see if the token can be fetched without the auth (so using the proxy auth)
    • If this works everything else can be the same.. Token that is received would be only used on the UI, it would have no effect on the requests made as you can not auth with the token in this scenario
    • I guess this is how we can have minimum changes on the UI to be able to support both auth scenarios

However, it does not make sense to have a login form at all on the UI. We should have Oauth support and then we would not care what mode the backend is on. If it's default stuff, then the backend will present the login form and dispatch the oauth code on successful login that can be used to get the token. If it's auth proxy you would directly get the code.. The UI would not care.. However, this requires a lot of adaptation on the backend and the frontend.. I am not sure why this was not implemented like this in the first place?

In addition, the token should be used to access the api and the pre-auth or form auth only to retrieve the token. This is how correctly this should be split imo.

This change is Reviewable

ivansenic avatar Apr 13 '20 12:04 ivansenic