Authentication
Welcome to the Authentication guide of the PHYLOViZ Web Platform documentation! Here, we provide an overview of the authentication process and components used within the platform. Authentication plays a crucial role in securing access to the platform and its resources, ensuring that only authorized users can interact with the system.
The authentication sequence is depicted in the following image:
For user authentication, the PHYLOViZ Web Platform utilizes the Keycloak server. Keycloak is an open-source software product that enables single sign-on with Identity and Access Management capabilities. It is configured to use the OpenID Connect protocol.
Keycloak serves as the Identity and Access Management (IAM) solution for the platform, providing authentication, authorization, and user management features. It supports various protocols such as OAuth2, OpenID Connect, and SAML.
In the context of the PHYLOViZ Web Platform, Keycloak acts as the OpenID identity provider. It authenticates users and issues access tokens, which are used to access protected resources.
The platform uses Spring Cloud Gateway as an OpenID client. Spring Cloud Gateway leverages Keycloak's OIDC capabilities to authenticate users. Once a user is authenticated, Spring Cloud Gateway utilizes the received access token from Keycloak to forward requests to the appropriate microservice.
The microservices in the platform act as OpenID resource servers. They validate the access token received from Spring Cloud Gateway to ensure that the user is authorized to access the requested resource.
The authentication process follows these high-level steps:
- The user sends a request to access a protected resource.
- Spring Cloud Gateway intercepts the request and redirects the user to Keycloak's login page.
- The user enters their credentials on Keycloak's login page and submits the form.
- Keycloak authenticates the user and generates an access token, which contains the user's identity and authorization information.
- Keycloak sends the access token back to Spring Cloud Gateway through User-Agent redirection.
- Spring Cloud Gateway receives the access token and stores it in a session cookie.
- Spring Cloud Gateway forwards the request, along with the access token, to the appropriate microservice.
- The microservice receives the request and validates the access token through introspection, ensuring that the user is authorized to access the requested resource.
- If the access token is valid, the microservice processes the request and sends a response back to Spring Cloud Gateway.
- Spring Cloud Gateway receives the response and forwards it back to the user.
To configure the authentication components, follow these steps:
- Log in to the Keycloak server administration console.
- Navigate to the realm where you want to create the client.
- Click on "Clients" in the left-hand menu.
- Select the "phyloviz-web-platform-client" client.
- In the "Credentials" tab, click "Save", "Regenerate Secret", and then copy the "Secret" value to your clipboard.
- Configure the password of Redis in "redis/redis.conf" and the Redis credentials in the "application.yml" of the gateway.
- Open the "application.yml" file in "shared" folder and the gateway, and replace the client-secret property with the "Secret" from the Keycloak client.
By following these configuration steps, you will ensure the proper setup of the Keycloak server, Spring Cloud Gateway, and microservices for authentication within the PHYLOViZ Web Platform.
Please note that the repository includes a Keycloak configuration file containing the required client and provider configurations. However, you must configure the secrets yourself, as they are not included in the repository.
Ensure that you properly secure the secrets and follow best practices for managing sensitive information.