Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: use OIDC server with fine-grained authorization #386

Merged
merged 8 commits into from Mar 29, 2024
Merged

feat: use OIDC server with fine-grained authorization #386

merged 8 commits into from Mar 29, 2024

Conversation

vincentchalamon
Copy link
Contributor

@vincentchalamon vincentchalamon commented Mar 7, 2024
edited

Description

tl;dr: this PR aims to deport the authorization out of Symfony to the OIDC server.

Now that we have an OIDC server, and in order to respect the decentralization state of the art, the Symfony application should not handle the user roles and permissions anymore, as it's supposed to be the responsability of the OIDC server. The Symfony application is a resource server which communicates with the OIDC server to decentralize the user roles and permissions.

To implement this enhancement, the Symfony application must evolve to contact the OIDC server in order to check the user roles and permissions:

  • user roles are global roles applied on a user, for instance: user or admin
  • user permissions are user permissions on a resource, for instance: owner of *this* review

TODO

  • create voter to check for user roles from token (UserRoleVoter)
  • create voter to check for user roles from OIDC server (UserTokenIntrospectRoleVoter)
  • create voter to check for user permissions from OIDC server (UserTokenPermissionVoter)
  • create Review resources on OIDC server for remote permissions checking

Improvements (could be backported to Symfony):

  • Use OIDC Discovery with local cache (OIDC configuration + JWKSet)

Links

https://www.keycloak.org/docs/latest/authorization_services/index.html

@vincentchalamon vincentchalamon self-assigned this Mar 7, 2024
@vincentchalamon vincentchalamon force-pushed the chore/security-users-provider branch 4 times, most recently from cc4384f to 0eaca8e Compare March 13, 2024 20:28
@vincentchalamon vincentchalamon marked this pull request as ready for review March 13, 2024 20:37
soyuka
soyuka reviewed Mar 14, 2024
View reviewed changes
api/src/Entity/Bookmark.php Outdated Show resolved Hide resolved
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php Outdated Show resolved Hide resolved
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php Outdated Show resolved Hide resolved
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php Outdated Show resolved Hide resolved
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php Outdated Show resolved Hide resolved
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php Outdated Show resolved Hide resolved
api/src/Security/Voter/OIDCPermissionVoter.php Outdated Show resolved Hide resolved
api/src/Security/Voter/OIDCRoleVoter.php Outdated Show resolved Hide resolved
@vincentchalamon vincentchalamon force-pushed the chore/security-users-provider branch 3 times, most recently from d57b7f4 to 07ea7d9 Compare March 15, 2024 09:44
@vincentchalamon vincentchalamon force-pushed the chore/security-users-provider branch 4 times, most recently from 62f4a99 to ddcb435 Compare March 18, 2024 11:54
@vincentchalamon vincentchalamon marked this pull request as draft March 18, 2024 14:28
@vincentchalamon vincentchalamon removed the request for review from soyuka March 19, 2024 16:39
@vincentchalamon vincentchalamon force-pushed the chore/security-users-provider branch 4 times, most recently from 9538652 to ca43520 Compare March 26, 2024 19:49
@vincentchalamon vincentchalamon force-pushed the chore/security-users-provider branch 2 times, most recently from 0e946f6 to ac56982 Compare March 28, 2024 08:36
@vincentchalamon vincentchalamon marked this pull request as ready for review March 28, 2024 15:52
@vincentchalamon vincentchalamon merged commit a81a33a into main Mar 29, 2024
7 checks passed
@vincentchalamon vincentchalamon deleted the chore/security-users-provider branch March 29, 2024 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soyuka soyuka soyuka left review comments

Assignees

@vincentchalamon vincentchalamon

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@vincentchalamon @soyuka