feat(keycloak authentication) #4162
Conversation
… into feat-keycloak
|
| self.keycloak_client: KeycloakClient = keycloak_client | ||
| self.keycloak_backend_user = config["trailblazer"]["keycloak_backend_user"] | ||
| self.keycloak_backend_user_password = config["trailblazer"][ |
There was a problem hiding this comment.
We should create a confidential client with a client secret. This should allow us to circumvent using username+password
rd
| keycloak_backend_user: str | ||
| keycloak_backend_user_password: str |
There was a problem hiding this comment.
Remove and use client_secret_key instead
| def check_role(roles: list[str]) -> None: | ||
| """Check the user roles. | ||
| Currently set to a single permissable role, expand if needed. | ||
| Args: | ||
| roles (list[str]): The user roles received from the RealmAccess. | ||
| Raises: | ||
| UserRoleError: if required role not present | ||
| """ | ||
| if not "cg-employee" in roles: | ||
| raise UserRoleError("The user does not have the required role to access this service.") |
There was a problem hiding this comment.
Good implementation. Will depend on how our user groups are set-up. Likely to change in some degree
| if code: | ||
| token = keycloak_client.get_token_by_authorisation_code(code) | ||
| parsed_token = TokenResponseModel(**token) | ||
| LOG.info(f"access_token: {parsed_token.access_token}") |
There was a problem hiding this comment.
remove logging the access token
|
|
||
| LOG = logging.getLogger(__name__) |
There was a problem hiding this comment.
unsure why the logging is needed
| keycloak_backend_user: str = "user" | ||
| keycloak_backend_user_password: str = "password" |
There was a problem hiding this comment.
Not sure these are needed
| if not logged_in(): | ||
| return redirect(url_for("admin.index")) | ||
|
|
||
|
|
||
| def logged_in(): | ||
| user = db.get_user_by_email(email=session.get("user_email")) | ||
| return google.authorized and user and user.is_admin |
There was a problem hiding this comment.
For phase one we could keep the database check and start relying on roles in phase 2
Description
Implements keycloak as authirsation and verification provider for CG
Added
AuthenticationService
Handles logic pertaining to authentication and token verification of users
UserService
handles fetching of users from the database - introduced to reduce coupling of database to endpoints
New endpoints:
auth/login
auth/callback
auth/logout
New config settings in the Flask AppConfig to initiate the authentication service
Changed
Moved app.route("/") to its own blueprint to cleanup the _register_blueprint() function. Increased code clarity
Removed google oauth flow from front end
Fixed
closes: #4159
How to prepare for test
uspaxaHow to test
Expected test outcome
Review
Thanks for filling in who performed the code review and the test!
This version is a
Implementation Plan