I have developed a code using Python and SQLAlchemy to read, insert and query data from a Postgresql database.
I have also seen how to get access tokens, create roles, create clients and assign roles to users in Keycloak using FastAPI end points.
My question is how do I authorize users to use the database and giving only select roles. For example allow a user only to query data, or another user to only add data.
I'm kinda stuck and unable to see how I can get this done in Keycloak and authorize users for database operation roles.
Related
We want to integrate Keycloak 18 in our platform to replace a self-implemented solution in the future. The first step was to implement an own user provider to keep our existing tables where users, roles and permissions are stored. This was pretty easy. So the old and new way can co-exist for a step-by-step replacement.
Now we also want to provide integrations for other user providers, like LDAP, Kerberos etc.
Is there a way to load the roles from our external db table after a user was authenticated by a random user provider?
e.g.:
User sends auth request to keycloak
User has been successfully authenticated by the ldap user provider
lookup external db to get the roles for the username and add them to the user model
thank you for your help
Following MongoDB Custom Authentication, it is given that any JWT Token with the minimal below fields works with the MongoDB Stitch Authentication. Also, token needs to be issued by External Authentication System
{
"aud": "<stitch app id>"
"sub": "<unique user id>",
"exp": <NumericDate>,
}
I've tested this and it works as well
Created Stitch App and enabled Users with Custom Authentication Provider
Generated Sample Token through Jwt.io with the below inputs. (Use same algorithm and key as configured when enabling Custom Authentication Provider, Here it is, HS256 and the )
It works in the way,
It is validating the users in MongoDB Stich Users Collection with the unique value provided in sub: "sub": "<unique user id>" and if the user is present then it returning the Object Id for that User.
If the user is not present then it is creating one against the input and returning the Object Id.
Queries are,
Why it is creating a new user instead of returning login failure, which in turn works like any user can log in with any credentials on demand?
If MongoDB Stitch Custom Authentication involves External Authentication System to issue JWT, where the user data will be actually stored when user registration? - MongoDB Stitch App Collection or External Authentication API System?
Here is the response from MongoDB Support
Why is Stitch creating a new "User"
The "User" Stitch creates in this scenario is an internal user. This "user" also contains the user data and metadata provided from the JWT and is not stored alongside your other collections in the Atlas cluster your application is linked against. Note that this "user" is not accessible to MongoDB without using a trigger or other function to load it into the database.
Why isn't a login failure returned
A login failure is not being returned because the custom authentication provider is only checking the signed JWT from the external system against its own copy of the signing key. If the signatures match then the login is deemed successful.
It is the responsibility of the external authentication provider to fail the login; not Stitch.
Where will the user data actually be stored
The user data should be managed within your database. The most efficient way to integrate this with the Custom Authentication provider is to use an Authentication Trigger on Create and/or Login operation types. This would allow you to run a Stitch Function any time an authentication event is triggered.
There is an example of using authentication triggers on the MongoDB blog which may help explain the process further.
I am developing a web server application where I need to add authorization. This is the typical flow:
server issues token(Oauth/JWT) to the client after authentication
client sends token in each REST API request to server
server validates token and extracts the privileges held by the owner of this token
server accordingly fulfills client's request
Question:
Depending on the role of the client, the data from a SQL DB (mysql, oracle, etc.) needs to be returned back to the client. Let's say there are three users each with different roles:
userA
userB
userC
The DB has various tables and depending upon the role of the user the access to the data (tables as well as columns) is allowed.
How do I manage this access ? Should I put this logic of varying access in the web server or it needs to go into DB ?
Making SQL queries on the fly based on user role does not sound practical to me. I am looking for good practices to handle such a scenario.
[I am using Play+Scala for web server]
I have a Catalyst application that I recently created. I based the original authentication model on the example given in the Catalyst example using "SimpleDB". I am also using the Authorization::Roles module to permission users in specific application roles.
Now I need to move to LDAP authentication. I need to use LDAP to authenticate the user, but the user should still have a row in the User table to validate that the user is allowed to use the application. Also, the application should still lookup the User Roles from the Role table to determine what roles the user is allowed.
My question is: I have read that dropping in the Catalyst LDAP authentication module is pretty much Plug-N-Play, but will the application still use the User/Role tables that are already defined in the application?
Is it possible to use security roles with server-to-server authentication in CloudKit? I would like only my server code to be able to create records in the public database.
You can use the system role 'Authenticated' and set its permission to "write/read" on the record type you want to lock down.
Your server to server key will still be able to create records of this type.