Implement Access Control in auth-service via Traefik Forward Auth #3

Closed
opened 2025-04-22 22:11:56 +00:00 by abed.alrahman · 2 comments
Member

Ref epic: #13

Goal: Implement the access control mechanism (defined in the design ticket #2) within the auth-service, enabling it to act as a decision point for Traefik's forward authentication middleware based on rules ultimately defined by backend services.

Prerequisite: Completion of "Ticket #2: Design Permission System for Endpoint Access Control".

What needs to be done:

Create Forward Auth Endpoint: Add a new endpoint to the auth-service, for example: GET /auth. This endpoint is intended to be called by Traefik's forwardAuth middleware.
Implement Core Logic: Inside the /auth endpoint:
    Receive request details from Traefik headers (e.g., Authorization, X-Forwarded-Method, X-Forwarded-Uri, X-Forwarded-Host).
    Extract the Bearer token from the Authorization header.
    Validate the token using Keycloak (e.g., via its introspection endpoint). If invalid or expired, return 401 Unauthorized.
    Extract relevant user information (username, groups, roles) from the valid token.
    Apply the chosen design's logic:
        If using Central Policy Store: Query the store for rules matching the request method/URI. Compare the user's groups/roles against the rule.
        If using Backend Callback: Determine the target backend service. Make a request to its permission check endpoint (e.g., /_check_permission) including user info and original request details. Use the backend's response (allow/deny).
    Based on the outcome of the check, return the appropriate HTTP status code to Traefik:
        2xx (e.g., 200 OK or 204 No Content) if access is allowed.
        403 Forbidden if access is denied based on permissions.
        401 Unauthorized if the token was invalid/missing.

Deliverables:

Updated auth-service source code, including the /auth endpoint and access control logic.
Ref epic: [#13](https://git.cleverthis.com/clevermicro/user-management/issues/13) Goal: Implement the access control mechanism (defined in the design ticket #2) within the auth-service, enabling it to act as a decision point for Traefik's forward authentication middleware based on rules ultimately defined by backend services. Prerequisite: Completion of "Ticket #2: Design Permission System for Endpoint Access Control". What needs to be done: Create Forward Auth Endpoint: Add a new endpoint to the auth-service, for example: GET /auth. This endpoint is intended to be called by Traefik's forwardAuth middleware. Implement Core Logic: Inside the /auth endpoint: Receive request details from Traefik headers (e.g., Authorization, X-Forwarded-Method, X-Forwarded-Uri, X-Forwarded-Host). Extract the Bearer token from the Authorization header. Validate the token using Keycloak (e.g., via its introspection endpoint). If invalid or expired, return 401 Unauthorized. Extract relevant user information (username, groups, roles) from the valid token. Apply the chosen design's logic: If using Central Policy Store: Query the store for rules matching the request method/URI. Compare the user's groups/roles against the rule. If using Backend Callback: Determine the target backend service. Make a request to its permission check endpoint (e.g., /_check_permission) including user info and original request details. Use the backend's response (allow/deny). Based on the outcome of the check, return the appropriate HTTP status code to Traefik: 2xx (e.g., 200 OK or 204 No Content) if access is allowed. 403 Forbidden if access is denied based on permissions. 401 Unauthorized if the token was invalid/missing. Deliverables: Updated auth-service source code, including the /auth endpoint and access control logic.
abed.alrahman added the
Points
21
Priority
Medium
Blocked
labels 2025-04-22 22:11:56 +00:00
stanislav.hejny added the
Type
Task
label 2025-04-29 10:34:19 +00:00
Member

depends on / is blocked by 'have independent keycloak instance deployed' in CleverThis company context, as a DEVELOPMENT env instance (identity-management project task)

depends on / is blocked by 'have independent keycloak instance deployed' in CleverThis company context, as a DEVELOPMENT env instance (identity-management project task)
stanislav.hejny added the
State
Verified
label 2025-04-30 18:48:34 +00:00
Owner

@aleenaumair @stanislav.hejny

This ticket has no milestone, fix that before proceeding with the ticket. I will moscow anyway.

@aleenaumair @stanislav.hejny This ticket has no milestone, fix that before proceeding with the ticket. I will moscow anyway.
freemo added the
MoSCoW
Should have
label 2025-05-05 01:11:40 +00:00
aleenaumair added this to the V.01 milestone 2025-05-05 10:02:24 +00:00
abed.alrahman added
State
In Progress
and removed
State
Verified
labels 2025-05-11 00:50:55 +00:00
abed.alrahman self-assigned this 2025-05-11 00:58:29 +00:00
abed.alrahman added
State
In Review
and removed
State
In Progress
labels 2025-05-14 23:43:28 +00:00
abed.alrahman added reference Implement_Access_Control_in_auth-service#3 2025-05-14 23:46:47 +00:00
abed.alrahman added a new dependency 2025-05-20 01:18:28 +00:00
abed.alrahman removed the Blocked label 2025-05-20 01:22:32 +00:00
abed.alrahman added this to the Sprint May 1st- 14th project 2025-05-20 01:22:38 +00:00
abed.alrahman added a new dependency 2025-05-28 00:21:30 +00:00
hurui200320 added
State
Completed
and removed
State
In Review
labels 2025-06-12 11:15:56 +00:00
Sign in to join this conversation.
3 Participants
Notifications
Due Date
No due date set.
Blocks
You do not have permission to read 1 dependency
Depends on
Reference: clevermicro/user-management#3