Conversation
… into feat-keycloak
|
| self.keycloak_client: KeycloakClient = keycloak_client | ||
| self.keycloak_backend_user = config["trailblazer"]["keycloak_backend_user"] | ||
| self.keycloak_backend_user_password = config["trailblazer"][ |
There was a problem hiding this comment.
We should create a confidential client with a client secret. This should allow us to circumvent using username+password
rd
| keycloak_backend_user: str | ||
| keycloak_backend_user_password: str |
There was a problem hiding this comment.
Remove and use client_secret_key instead
| def check_role(roles: list[str]) -> None: | ||
| """Check the user roles. | ||
| Currently set to a single permissable role, expand if needed. | ||
| Args: | ||
| roles (list[str]): The user roles received from the RealmAccess. | ||
| Raises: | ||
| UserRoleError: if required role not present | ||
| """ | ||
| if not "cg-employee" in roles: | ||
| raise UserRoleError("The user does not have the required role to access this service.") |
There was a problem hiding this comment.
Good implementation. Will depend on how our user groups are set-up. Likely to change in some degree
| if code: | ||
| token = keycloak_client.get_token_by_authorisation_code(code) | ||
| parsed_token = TokenResponseModel(**token) | ||
| LOG.info(f"access_token: {parsed_token.access_token}") |
There was a problem hiding this comment.
remove logging the access token
|
|
||
| LOG = logging.getLogger(__name__) |
There was a problem hiding this comment.
unsure why the logging is needed
| keycloak_backend_user: str = "user" | ||
| keycloak_backend_user_password: str = "password" |
| if not logged_in(): | ||
| return redirect(url_for("admin.index")) | ||
|
|
||
|
|
||
| def logged_in(): | ||
| user = db.get_user_by_email(email=session.get("user_email")) | ||
| return google.authorized and user and user.is_admin |
There was a problem hiding this comment.
For phase one we could keep the database check and start relying on roles in phase 2
5 participants
Description
Implements keycloak as authirsation and verification provider for CG
Added
AuthenticationService
Handles logic pertaining to authentication and token verification of users
UserService
handles fetching of users from the database - introduced to reduce coupling of database to endpoints
New endpoints:
auth/login
auth/callback
auth/logout
New config settings in the Flask AppConfig to initiate the authentication service
Changed
Moved app.route("/") to its own blueprint to cleanup the _register_blueprint() function. Increased code clarity
Removed google oauth flow from front end
Fixed
closes: #4159
How to prepare for test
uspaxaHow to test
Expected test outcome
Review
Thanks for filling in who performed the code review and the test!
This version is a
Implementation Plan