Implement Access Control in auth-service via Traefik Forward Auth #3

Closed
opened 2025-04-22 22:11:56 +00:00 by abed.alrahman · 2 comments
Member

Ref epic: #13

Goal: Implement the access control mechanism (defined in the design ticket #2) within the auth-service, enabling it to act as a decision point for Traefik's forward authentication middleware based on rules ultimately defined by backend services.

Prerequisite: Completion of "Ticket #2: Design Permission System for Endpoint Access Control".

What needs to be done:

Create Forward Auth Endpoint: Add a new endpoint to the auth-service, for example: GET /auth. This endpoint is intended to be called by Traefik's forwardAuth middleware.
Implement Core Logic: Inside the /auth endpoint:
    Receive request details from Traefik headers (e.g., Authorization, X-Forwarded-Method, X-Forwarded-Uri, X-Forwarded-Host).
    Extract the Bearer token from the Authorization header.
    Validate the token using Keycloak (e.g., via its introspection endpoint). If invalid or expired, return 401 Unauthorized.
    Extract relevant user information (username, groups, roles) from the valid token.
    Apply the chosen design's logic:
        If using Central Policy Store: Query the store for rules matching the request method/URI. Compare the user's groups/roles against the rule.
        If using Backend Callback: Determine the target backend service. Make a request to its permission check endpoint (e.g., /_check_permission) including user info and original request details. Use the backend's response (allow/deny).
    Based on the outcome of the check, return the appropriate HTTP status code to Traefik:
        2xx (e.g., 200 OK or 204 No Content) if access is allowed.
        403 Forbidden if access is denied based on permissions.
        401 Unauthorized if the token was invalid/missing.

Deliverables:

Updated auth-service source code, including the /auth endpoint and access control logic.
Ref epic: [#13](https://git.cleverthis.com/clevermicro/user-management/issues/13) Goal: Implement the access control mechanism (defined in the design ticket #2) within the auth-service, enabling it to act as a decision point for Traefik's forward authentication middleware based on rules ultimately defined by backend services. Prerequisite: Completion of "Ticket #2: Design Permission System for Endpoint Access Control". What needs to be done: Create Forward Auth Endpoint: Add a new endpoint to the auth-service, for example: GET /auth. This endpoint is intended to be called by Traefik's forwardAuth middleware. Implement Core Logic: Inside the /auth endpoint: Receive request details from Traefik headers (e.g., Authorization, X-Forwarded-Method, X-Forwarded-Uri, X-Forwarded-Host). Extract the Bearer token from the Authorization header. Validate the token using Keycloak (e.g., via its introspection endpoint). If invalid or expired, return 401 Unauthorized. Extract relevant user information (username, groups, roles) from the valid token. Apply the chosen design's logic: If using Central Policy Store: Query the store for rules matching the request method/URI. Compare the user's groups/roles against the rule. If using Backend Callback: Determine the target backend service. Make a request to its permission check endpoint (e.g., /_check_permission) including user info and original request details. Use the backend's response (allow/deny). Based on the outcome of the check, return the appropriate HTTP status code to Traefik: 2xx (e.g., 200 OK or 204 No Content) if access is allowed. 403 Forbidden if access is denied based on permissions. 401 Unauthorized if the token was invalid/missing. Deliverables: Updated auth-service source code, including the /auth endpoint and access control logic.

depends on / is blocked by 'have independent keycloak instance deployed' in CleverThis company context, as a DEVELOPMENT env instance (identity-management project task)

depends on / is blocked by 'have independent keycloak instance deployed' in CleverThis company context, as a DEVELOPMENT env instance (identity-management project task)
Owner

@aleenaumair @stanislav.hejny

This ticket has no milestone, fix that before proceeding with the ticket. I will moscow anyway.

@aleenaumair @stanislav.hejny This ticket has no milestone, fix that before proceeding with the ticket. I will moscow anyway.
aleenaumair added this to the V.01 milestone 2025-05-05 10:02:24 +00:00
abed.alrahman added reference Implement_Access_Control_in_auth-service#3 2025-05-14 23:46:47 +00:00
hurui200320 2025-06-12 11:15:56 +00:00
Sign in to join this conversation.
No milestone
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
You do not have permission to read 1 dependency
Depends on
Reference: clevermicro/user-management#3
No description provided.