Refactor auth-service /auth Endpoint for UMA-Based Authorization #28

Closed
opened 2025-06-03 23:06:43 +00:00 by abed.alrahman · 0 comments
Member

Goal: Modify the /auth endpoint in auth-service to perform endpoint authorization by making UMA (User-Managed Access) permission evaluation requests to Keycloak, instead of checking for pre-defined client roles.
Brief Description: The /auth endpoint, used by Traefik for forward authentication, needs to be updated. When a request comes for a backend service, /auth will:

Validate the user's token.
Identify the target backend service (which acts as a Keycloak Resource Server), the specific resource (API path), and the scope (HTTP method) being accessed.
Make a permission evaluation request (e.g., by requesting an RPT or using the UMA evaluation endpoint) to Keycloak against the target service's Resource Server configuration.
Respond 200 OK (with user metadata headers) to Traefik if Keycloak grants permission, or 401/403 if denied. This requires auth-service to be configured to understand how to map incoming requests to Keycloak resources/scopes defined by backend services.
Goal: Modify the /auth endpoint in auth-service to perform endpoint authorization by making UMA (User-Managed Access) permission evaluation requests to Keycloak, instead of checking for pre-defined client roles. Brief Description: The /auth endpoint, used by Traefik for forward authentication, needs to be updated. When a request comes for a backend service, /auth will: Validate the user's token. Identify the target backend service (which acts as a Keycloak Resource Server), the specific resource (API path), and the scope (HTTP method) being accessed. Make a permission evaluation request (e.g., by requesting an RPT or using the UMA evaluation endpoint) to Keycloak against the target service's Resource Server configuration. Respond 200 OK (with user metadata headers) to Traefik if Keycloak grants permission, or 401/403 if denied. This requires auth-service to be configured to understand how to map incoming requests to Keycloak resources/scopes defined by backend services.
abed.alrahman added the
Type
Task
State
Unverified
labels 2025-06-03 23:06:43 +00:00
abed.alrahman added a new dependency 2025-06-03 23:07:09 +00:00
abed.alrahman added
State
Verified
Points
8
Priority
High
and removed
State
Unverified
labels 2025-06-04 10:29:45 +00:00
abed.alrahman added this to the V.01 milestone 2025-06-04 10:29:48 +00:00
hurui200320 self-assigned this 2025-06-09 08:06:06 +00:00
hurui200320 added
State
In Progress
and removed
State
Verified
labels 2025-06-09 08:06:11 +00:00
hurui200320 added this to the Sprint June 1st- 14th project 2025-06-11 10:10:36 +00:00
hurui200320 added reference feat/28 2025-06-16 06:44:36 +00:00
hurui200320 added a new dependency 2025-06-16 10:10:42 +00:00
hurui200320 added
State
In Review
and removed
State
In Progress
labels 2025-06-16 10:10:47 +00:00
hurui200320 added
State
Completed
and removed
State
In Review
labels 2025-06-30 09:05:21 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Depends on
#9 Design the Group/Tenant Feature
clevermicro/user-management
Reference: clevermicro/user-management#28