keycloak-api-rails icon indicating copy to clipboard operation
keycloak-api-rails copied to clipboard

Published 20 hours ago verified publisher icon looorent

Few changes:

Open robbychs opened this issue 5 years ago • 2 comments

  • Reduce rails dependency to >= 4.1.16.
  • Skip authentication if no token is passed.

robbychs avatar Aug 21 '19 16:08 robbychs

Thanks for your contribution, @robbychs .

However, I do not agree with skipping an authentication when there is no token provided. This looks like a huge breach. Would you have a use case to identify the actual need behind this?

looorent avatar Aug 27 '19 08:08 looorent

The motivation behind this is to be able to move the decision of needing authentication to each controller, rather than centralize the skip list on config/initializers/keycloak.rb.

Similar to this: https://github.com/spree/spree/blob/master/api/app/controllers/spree/api/v2/storefront/account_controller.rb (before_action :require_spree_current_user). In which if we trace back to https://github.com/spree/spree/blob/master/api/app/controllers/spree/api/v2/base_controller.rb (def require_spree_current_user, then def spree_current_user), then furthermore on https://github.com/doorkeeper-gem/doorkeeper/blob/master/lib/doorkeeper/oauth/client.rb (def self.authenticate), we can see that there is some logic to skip authentication if the auth params is blank: return if credentials.blank?. For this particular case, if someone tries to call an endpoint under api/v2/storefront/account_controller.rb without a valid auth token, the rejection is done on the controller rather than on the middleware.

robbychs avatar Aug 28 '19 01:08 robbychs