Refactor auth-service /auth Endpoint for UMA-Based Authorization #28

Closed
opened 2025-06-03 23:06:43 +00:00 by abed.alrahman · 0 comments
Member

Goal: Modify the /auth endpoint in auth-service to perform endpoint authorization by making UMA (User-Managed Access) permission evaluation requests to Keycloak, instead of checking for pre-defined client roles.
Brief Description: The /auth endpoint, used by Traefik for forward authentication, needs to be updated. When a request comes for a backend service, /auth will:

Validate the user's token.
Identify the target backend service (which acts as a Keycloak Resource Server), the specific resource (API path), and the scope (HTTP method) being accessed.
Make a permission evaluation request (e.g., by requesting an RPT or using the UMA evaluation endpoint) to Keycloak against the target service's Resource Server configuration.
Respond 200 OK (with user metadata headers) to Traefik if Keycloak grants permission, or 401/403 if denied. This requires auth-service to be configured to understand how to map incoming requests to Keycloak resources/scopes defined by backend services.
Goal: Modify the /auth endpoint in auth-service to perform endpoint authorization by making UMA (User-Managed Access) permission evaluation requests to Keycloak, instead of checking for pre-defined client roles. Brief Description: The /auth endpoint, used by Traefik for forward authentication, needs to be updated. When a request comes for a backend service, /auth will: Validate the user's token. Identify the target backend service (which acts as a Keycloak Resource Server), the specific resource (API path), and the scope (HTTP method) being accessed. Make a permission evaluation request (e.g., by requesting an RPT or using the UMA evaluation endpoint) to Keycloak against the target service's Resource Server configuration. Respond 200 OK (with user metadata headers) to Traefik if Keycloak grants permission, or 401/403 if denied. This requires auth-service to be configured to understand how to map incoming requests to Keycloak resources/scopes defined by backend services.
abed.alrahman added this to the V.01 milestone 2025-06-04 10:29:48 +00:00
hurui200320 added reference feat/28 2025-06-16 06:44:36 +00:00
hurui200320 2025-06-30 09:05:21 +00:00
Sign in to join this conversation.
No milestone
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Depends on
#9 Design the Group/Tenant Feature
clevermicro/user-management
Reference: clevermicro/user-management#28
No description provided.