search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Application scoped maintenance intercept #305

Open davidmw opened 5 years ago

davidmw commented 5 years ago

App maintenance intercept

Problem

We have a suite of front end and API apps defined in and secured by FusionAuth. We have some nice deployment options for the APIs that let us coordinate slot swapping but the front end can't make use of it. There will be times in which we need to make a production deployment and get immediate access to these apps for testing / configuration while keeping the public out.

Solution

The majority of our API are authenticated and this suggests that FusionAuth could be the gatekeeper for a 'closed for maintenance' mode that would catch both active sessions and new session requests.

The FusionAuth 'deactivate application' feature isn't useful for this. It doesn't interrupt active sessions and doesn't permit the development team to utilise the app.

I'm suggesting that user accounts can be configured as 'development' or 'internal' using something like a specific role, user data or on an application basis.

Then the application needs a switch to toggle the maintenance intercept mode. Internal users can authenticate or continue existing sessions as normal. Everyone else would be directed to a templated status screen displaying a message that we set as needed.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

robotdan commented 5 years ago

Thanks for the suggestion @davidmw.

To summarize, you're asking for a way to separate users by application or other mechanism which would allow you to make the FusionAuth login appear "shut down for maintenance" for all users except those designated to continue to be able to authenticate.

What comes to mind is just a new concept on an application such as "maintenance mode" which would allow FusionAuth to redirect the login page to a "in maintenance" screen simply based upon the client_id parameter.

This "maintenance" screen then could be part of the theme.

davidmw commented 5 years ago

So if the goal is to let only internal users login and keep those sessions alive, maybe the maintenance screen isn't the solution.

All visitors need to attempt authentication so we know who is who. Only some should get thru during maintenance mode. I think this might mean that the login screen shows a maintenance mode banner to display status but still let anyone attempt to authenticate.

Then what? If the visitor isn't a permitted user we could just kick them back to the login screen (with the banner explaining things). If that login screen updates every few minutes those blocked users won't be held up longer than necessary.

I'm not sure what additional steps could be taken. One of the goals of maintenance mode would be to protect users data and the application's database. If our API handles all the database activity and we do authorization checks on those endpoints - maybe authorization failures would accomplish that. Maybe refresh tokens aren't issued to the blocked users during maintenance of that app, make tokens are revoked.