tl;dr: this PR aims to deport the authorization out of Symfony to the OIDC server.
Now that we have an OIDC server, and in order to respect the decentralization state of the art, the Symfony application should not handle the user roles and permissions anymore, as it's supposed to be the responsability of the OIDC server. The Symfony application is a resource server which communicates with the OIDC server to decentralize the user roles and permissions.
To implement this enhancement, the Symfony application must evolve to contact the OIDC server in order to check the user roles and permissions:
user roles are global roles applied on a user, for instance: user or admin
user permissions are user permissions on a resource, for instance: owner of *this* review
TODO
[x] create voter to check for user roles from token (UserRoleVoter)
[x] create voter to check for user roles from OIDC server (UserTokenIntrospectRoleVoter)
[x] create voter to check for user permissions from OIDC server (UserTokenPermissionVoter)
[x] create Review resources on OIDC server for remote permissions checking
Improvements (could be backported to Symfony):
[x] Use OIDC Discovery with local cache (OIDC configuration + JWKSet)
Description
tl;dr: this PR aims to deport the authorization out of Symfony to the OIDC server.
Now that we have an OIDC server, and in order to respect the decentralization state of the art, the Symfony application should not handle the user roles and permissions anymore, as it's supposed to be the responsability of the OIDC server. The Symfony application is a resource server which communicates with the OIDC server to decentralize the user roles and permissions.
To implement this enhancement, the Symfony application must evolve to contact the OIDC server in order to check the user roles and permissions:
useroradminowner of *this* reviewTODO
UserRoleVoter)UserTokenIntrospectRoleVoter)UserTokenPermissionVoter)Improvements (could be backported to Symfony):
Links
https://www.keycloak.org/docs/latest/authorization_services/index.html