New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: use OIDC server with fine-grained authorization #386
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vincentchalamon
force-pushed
the
chore/security-users-provider
branch
4 times, most recently
from
March 13, 2024 20:28
cc4384f
to
0eaca8e
Compare
soyuka
reviewed
Mar 14, 2024
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php
Outdated
Show resolved
Hide resolved
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php
Outdated
Show resolved
Hide resolved
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php
Outdated
Show resolved
Hide resolved
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php
Outdated
Show resolved
Hide resolved
api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php
Outdated
Show resolved
Hide resolved
vincentchalamon
force-pushed
the
chore/security-users-provider
branch
3 times, most recently
from
March 15, 2024 09:44
d57b7f4
to
07ea7d9
Compare
vincentchalamon
force-pushed
the
chore/security-users-provider
branch
4 times, most recently
from
March 18, 2024 11:54
62f4a99
to
ddcb435
Compare
vincentchalamon
force-pushed
the
chore/security-users-provider
branch
4 times, most recently
from
March 26, 2024 19:49
9538652
to
ca43520
Compare
vincentchalamon
force-pushed
the
chore/security-users-provider
branch
2 times, most recently
from
March 28, 2024 08:36
0e946f6
to
ac56982
Compare
vincentchalamon
force-pushed
the
chore/security-users-provider
branch
from
March 29, 2024 13:25
ede2ff2
to
9dc1360
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
tl;dr: this PR aims to deport the authorization out of Symfony to the OIDC server.
Now that we have an OIDC server, and in order to respect the decentralization state of the art, the Symfony application should not handle the user roles and permissions anymore, as it's supposed to be the responsability of the OIDC server. The Symfony application is a resource server which communicates with the OIDC server to decentralize the user roles and permissions.
To implement this enhancement, the Symfony application must evolve to contact the OIDC server in order to check the user roles and permissions:
user
oradmin
owner of *this* review
TODO
UserRoleVoter
)UserTokenIntrospectRoleVoter
)UserTokenPermissionVoter
)Improvements (could be backported to Symfony):
Links
https://www.keycloak.org/docs/latest/authorization_services/index.html