Compare commits

..

3 Commits

Author SHA1 Message Date
Abed 465c7fd8ec Implement Intra-Organization Group Management APIs in auth-service #25
Unit test coverage / gradle-test (pull_request) Failing after 3m27s
Unit test coverage / gradle-test (push) Failing after 1m55s
CI for publishing docker image / build-and-publish (push) Successful in 2m33s
2025-07-01 11:24:51 +08:00
Abed 6f0af690f2 feat #24 Implement Tenant (Organization) Management APIs in auth-service 2025-07-01 11:24:50 +08:00
hurui200320 0fc59eef0e Implement UMA ticket for forward-auth (#31)
Unit test coverage / gradle-test (push) Failing after 1m48s
CI for publishing docker image / build-and-publish (push) Successful in 2m30s
According to design https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/service-specific-permission-system, this PR replaced the role-based forward auth with UMA ticket to allow keycloak to verify permission based on client authorization rules, which supports roles, with extra features like resource access control and group/organization.

Other than that, this PR also:

+ add config properties objects, which allows easier unit test
+ adapt setup from clevermicro/identity-management#9, now the auth-service works with the dev realm created in identity management repo
+ add pass-through config, allow clients to configure a list of rules to skip the token checking. Use case: CleverBRAG's token for its API access

This PR bumps the coverage rate to 73%, which is still below 85%. Thus the pipeline is failing.

Reviewed-on: #31
Reviewed-by: Stanislav Hejny <stanislav.hejny@cleverthis.com>
Co-authored-by: Rui Hu <rui.hu@cleverthis.com>
Co-committed-by: Rui Hu <rui.hu@cleverthis.com>
2025-06-30 09:05:14 +00:00
2 changed files with 7 additions and 2 deletions
@@ -179,7 +179,8 @@ public class AuthController {
RequestMethod.PUT, RequestMethod.DELETE,
RequestMethod.PATCH})
public Mono<ResponseEntity<?>> forwardAuth(
@RequestHeader(HttpHeaders.AUTHORIZATION) String authorizationHeader,
@RequestHeader(value = HttpHeaders.AUTHORIZATION, required = false)
String authorizationHeader,
@RequestHeader(HEADER_X_FORWARDED_METHOD) String originalMethod,
@RequestHeader(HEADER_X_FORWARDED_URI) String originalUriString
) {
@@ -199,6 +200,9 @@ public class AuthController {
if (shouldPassThrough(targetServiceClientId, serviceRelativePath)) {
return Mono.just(ResponseEntity.status(HttpStatus.NO_CONTENT).build());
}
if (authorizationHeader == null) {
return Mono.just(ResponseEntity.status(HttpStatus.BAD_REQUEST).build());
}
// no pass-through, check permission
final var accessToken = extractBearerToken(authorizationHeader);
if (accessToken == null) {
+2 -1
View File
@@ -15,7 +15,8 @@ spring:
# Keycloak Configuration (adjust values as needed)
keycloak:
server-url: ${KEYCLOAK_AUTH_SERVER_URL:http://localhost:9100} # Base URL of your Keycloak instance (NO trailing slash)
keycloak-host: ${KEYCLOAK_AUTH_SERVER_URL:http://localhost:9100} # Base URL of your Keycloak instance (NO trailing slash)
keycloak-admin-host: ${KEYCLOAK_AUTH_ADMIN_SERVER_URL:http://localhost:9100} # Base URL of your Keycloak instance (NO trailing slash)
realm: ${KEYCLOAK_AUTH_REALM:clevermicro-dev} # The realm name you are using
client-id: ${KEYCLOAK_AUTH_SERVICE_CLIENT:auth-service} # Client ID created in Keycloak for this service
client-secret: ${KEYCLOAK_AUTH_SERVICE_SECRET:UJ1sMcWciIRREfjjAGoLHUDynLT4aYdD} # Client Secret from Keycloak (use secrets management!)