Review and refine ADR about Keycloak middleware #87
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -38,9 +38,12 @@ VEDA Auth Central deploys and manages out of the box open source Keycloack for V | |
|
|
||
|
|
||
| ## Drivers | ||
| - **Supports Complex Authorization Needs**: Support application-based user subscriptions, scope inheritance, and detailed access control for multiple environments (dev, staging, production). | ||
| - **Simple Administration**: How easy it is for administrators such as science program leads to manage users or groups on their own | ||
| - **Graphical User Interface**: Ease of providing a graphical user interface for user and group administration | ||
| - **Community friendly**: How well the solution fits into VEDA as an ecosystem of community-maintained open source platform components | ||
| - **Generic integration**: Whether the solution offers generic integration patterns, such that applications can reuse logic for other publicly available providers like Auth0 | ||
| - **Well documented**: Quality and completeness of documentation, important to ensure good uptake by applications and other instances of the platform | ||
|
Comment on lines
+41
to
+46
There was a problem hiding this comment. These are the most significant changes to review. There was a problem hiding this comment. @j08lue can we explicitly add "support for Device Authentication Flow / Grant" to the document? I imagine this would be the recommended way for users to authenticate and get elevated scopes from remote environments like JupyterHub. There was a problem hiding this comment. Yes, let us do that. I think this document should not turn into a requirements list for the auth solution, though - that list should live elsewhere - right now that is what is happening in the use cases doc, I guess? WDYT, @DImuthuUpe and @smarru? There was a problem hiding this comment. @batpad Typically device auth flow is being used for tools installed on devices (IDEs, Collaborative tools). For web apps like JupyterHub it is better to be done through standard redirects. If you have some references for this recommendation, please let us know. There was a problem hiding this comment. @j08lue did you mean the google doc or #85 (reply in thread)? There was a problem hiding this comment. @DImuthuUpe thanks for the comment, and I probably should have explained better. Let me know if it's useful to break this out into a separate ticket, as the discussion around how users authenticate from within JupyterHub to access other services is likely a conversation that involves more people involved, and I want to do that at the appropriate place. Maybe for this document the high level requirement is something like "Allow for users on remote machines to authenticate in an easy and secure way". You are very correct that for a regular webapp, one would use OAuth with standard redirects, and this is what we would do to login to JupyterHub itself. When a user is accessing a JupyterHub instance through their browser, it's very similar to an ssh session, or a session to a remote machine, just happening through the browser. So a use-case here would be: A user, using a remote shell in the Jupyter instance, needs to authenticate to a VEDA app, for example the STAC backend. We likely have two options here:
I am definitely not the expert on this, and there maybe things I might be missing. From conversations with @yuvipanda and @alukach, it seemed that Device Auth Flow would be a good way to support authentication for people who needed to run scripts on remote machines, either over things like ssh or via JupyterHub. If it seems like it might be hard to support Device Auth Flow, or if this requires further discussion, am happy to make a ticket specifically for this to get into details a bit. Thanks again for the response here! There was a problem hiding this comment. This is very helpful. Thanks @batpad. Now I understand your thought process. Regarding the device auth flow, it can be enabled. We might have to move this discussion to a different ticket to talk about that as that decision depends on the usecase. But we can assume the auth central will enable all the auth flows described in Oauth2 spec. |
||
|
|
||
| ## Considered Options: | ||
|
|
||
|
|
@@ -49,6 +52,7 @@ VEDA Auth Central deploys and manages out of the box open source Keycloack for V | |
| - Simple to implement with minimal development effort. | ||
| - Utilizes Keycloak’s built-in features and administration tools. | ||
| - Lower initial setup cost. | ||
| - Comes with an admin GUI. | ||
| - **Cons:** | ||
| - Lacks support for application-specific authorization, complex user onboarding, and automated group management. | ||
| - Cannot support advanced use cases like scope inheritance or application-based user subscriptions. | ||
|
|
@@ -67,9 +71,12 @@ VEDA Auth Central deploys and manages out of the box open source Keycloack for V | |
| - Provides the flexibility to implement specific business logic, including fine-grained authorization and user management. | ||
| - Allows Keycloak to be upgraded and maintained independently of the custom logic. | ||
| - Supports the scalability and customization needs of Veda Auth Central without overly complicating the core IAM solution. | ||
| - By introducing application-specific entities and reusable templates, the custom layer simplifies the management of access policies and reduces the risk of misconfiguration that could arise from directly managing these controls within Keycloak. | ||
| - **Cons:** | ||
| - Additional effort required to develop and maintain the custom layer and its documentation. | ||
| - Potential for increased complexity in managing the interaction between Keycloak and the custom layer. | ||
| - Risk of requiring solution-specific logic on the application side. | ||
| - Requires development of a custom administation GUI. | ||
|
|
||
| ## Decision Outcome | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does 'application-based user subscriptions' mean? It doesn't seem to be a term that's commonly used in the authentication / authorization community, I can't find a definition of that in the NASA-IMPACT github org, in this repo, in the Apache custos repo, any of the google docs that has been shared with me (at least according to google drive, but that's not exhaustive) or in slack. If it's an important driver, I want to understand what it means and which application needs it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar question for 'scope inheritance', and how it differs from 'child groups' that keycloak offers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@alukach has raised this already in #85 (comment). It would be very useful to get more clarity about these!