Authentication provider: `Simulator` -> Customize token claims in config

Azure / data-api-builder

Data API builder provides modern REST and GraphQL endpoints to your Azure Databases and on-prem stores.

https://aka.ms/dab/docs

MIT License

785 stars 142 forks source link

Authentication provider: `Simulator` -> Customize token claims in config #842

Open yorek opened 1 year ago

yorek commented 1 year ago

When running in development mode, there should be an option to tell DAB to automatically assume that the request is authenticated and consider any role passed in via X-MS-API-ROLE valid, to facilitate debugging and testing of defined permissions. For example, this could be a configuration that defines what I just described:

"runtime": {
  "host": {
      "mode": "development",
      "authentication": {
        "provider": "emulator",        
      }
  }
}

The emulator provide could also, in future, allow for more configuration so that also claims could be injected in the context that is available to the developer, in order to also more easily debug policies.

For example:

"runtime": {
   "host": {
      "mode": "development",
      "authentication": {
        "provider": {
          "name": "emulator",        
          "settings": {
              "claims": {
                "email":"john.doe@contoso.com"
              }              
            }
          }
        }
      }
  }

seantleonard commented 1 year ago

When setting "authenticate-devmode-requests": true in the Host section of the runtime config, this will allow you to define any role in the x-ms-api-role header and have that role honored for your request. Have you utilized that?

https://github.com/Azure/data-api-builder/blob/2f3bd915588553d3fd8d423fbfaf0cbd9be05966/src/Service/dab-config.MsSql.json#L20

yorek commented 1 year ago

Ah thanks for the clarification @seantleonard. No, I haven't tried as I understood it would only simulate the authenticated system role. I'll try it ASAP and update the documentation accordingly. Thanks!

yorek commented 1 year ago

I tried setting

 "authenticate-devmode-requests": false,

but I couldn't set the desired role by sending the X-MS-API-ROLE with the role I want to test. For example this request:

curl --request GET \
  --url http://localhost:5000/api/books \
  --header 'X-MS-API-ROLE: author'

was always treated as anonymous

yorek commented 1 year ago

Related to #865

Aniruddh25 commented 1 year ago

 "authenticate-devmode-requests": false,

@yorek, I believe you need to set it to true to get the desired effect of honoring the author role set in X-MS-API-ROLE

Aniruddh25 commented 1 year ago

With #899 merged in, need to evaluate if we still need any additional settings.

seantleonard commented 1 year ago

Revising title to "Simulating authenticated user claims using config" to capture the latest feature ask.

899 was merged to address fixes to devmode-authenticate flag -> whose solution was to add the Simulator provider. -
- Documentation also updated in #943 to reflect changes.

JerryNixon commented 11 months ago

Also we would inlude:

When "mode" != "development" && "provider.name" == "emulator" then Error.

Azure / data-api-builder

Authentication provider: `Simulator` -> Customize token claims in config #842

899 was merged to address fixes to devmode-authenticate flag -> whose solution was to add the Simulator provider. -

Also we would inlude: