Is it possible to use security roles with server-to-server authentication in CloudKit? I would like only my server code to be able to create records in the public database.
You can use the system role 'Authenticated' and set its permission to "write/read" on the record type you want to lock down.
Your server to server key will still be able to create records of this type.
Related
I have keycloak instance (version 16) with one realm and two different clients.
The first client works with Open ID Connect Identity provider. It also works with public Access Type and with SSO and 2FA.
The second client works with a Custom module added from User Federation where 2FA is not possible to be used because the calls for authentication are mainly programmatically. Also, this client works with confidential Access Type.
The problem is that each client has a different external database with users, but the usernames in these databases are not unique.
And if I try to log in with the second client it works but after that, if I try to log in with the first client I can't, and vice versa. (in both clients username "notUniqueUser#email.com" is used)
The error message in this case is:
User with username notUniqueUser#email.com already exists. How do you want to continue?
“Review profile”
“Add to existing account”
Is it possible for these two clients to work both properly at the same time, when I do not have unique usernames and how should I configure it? (I find that is possible to have same email addresses but I can't find anything for usernames)
Maybe some kind of force authentication will be OK, and when the user "notUniqueUser#email.com" is already logged with the first client and I try to log in with the second, the session from the first one to be deleted and vice versa.
Depending on how your IDPs are configured you can try the following:
go to your realm
then to the IDP configuration in question
switch to Mappers
Click on Create
As a mapper type select Username teamplate Importer
in the template field and something that will make the username unique for example ${CLAIM.preferred_username}_<The Name of the IDP>
For example, if a username named 'user' logins from both 'IDP1' and 'IDP2' it will be imported into the Keycloak DB as 'user_IDP1' and 'user_IDP2', respectively.
We want to integrate Keycloak 18 in our platform to replace a self-implemented solution in the future. The first step was to implement an own user provider to keep our existing tables where users, roles and permissions are stored. This was pretty easy. So the old and new way can co-exist for a step-by-step replacement.
Now we also want to provide integrations for other user providers, like LDAP, Kerberos etc.
Is there a way to load the roles from our external db table after a user was authenticated by a random user provider?
e.g.:
User sends auth request to keycloak
User has been successfully authenticated by the ldap user provider
lookup external db to get the roles for the username and add them to the user model
thank you for your help
I have developed a code using Python and SQLAlchemy to read, insert and query data from a Postgresql database.
I have also seen how to get access tokens, create roles, create clients and assign roles to users in Keycloak using FastAPI end points.
My question is how do I authorize users to use the database and giving only select roles. For example allow a user only to query data, or another user to only add data.
I'm kinda stuck and unable to see how I can get this done in Keycloak and authorize users for database operation roles.
Currently, I have a social media project that already has the existing users, I want to enable the chat function. I had config Ejabberd with JWT and Mysql. I tested and I realized that I don't have to register the users in order to chat, I just need to make sure my token has "JID". Is it a good approach? Or do you have any other suggestions?
You don't need to register the users to ejabberd server explicitly while using external authentication mechanism.
However, chances are that you might not be able to see the list of registered users on the admin panel when not using the default authentication mechanism.
I am developing a web server application where I need to add authorization. This is the typical flow:
server issues token(Oauth/JWT) to the client after authentication
client sends token in each REST API request to server
server validates token and extracts the privileges held by the owner of this token
server accordingly fulfills client's request
Question:
Depending on the role of the client, the data from a SQL DB (mysql, oracle, etc.) needs to be returned back to the client. Let's say there are three users each with different roles:
userA
userB
userC
The DB has various tables and depending upon the role of the user the access to the data (tables as well as columns) is allowed.
How do I manage this access ? Should I put this logic of varying access in the web server or it needs to go into DB ?
Making SQL queries on the fly based on user role does not sound practical to me. I am looking for good practices to handle such a scenario.
[I am using Play+Scala for web server]