KeyCloak: Middleware Authentication & Authorizing services

[kohsah]

Currently various services are called by portal-ui. These are all unauthenticated, since by default users are unauthenticated in portal-ui. However, when users log-in they get authenticated and as a result get assigned a role (or multiple roles) .

In this context when services are called we need to be able to distinguish at the service end whether the user making the request to the service is authorized to do so or not, and whether the action being done by the user is allowed for that user (role).

Currently all services in portal-ui are mapped under the following root path:

• /gwd - for services running on eXist-db
• /gwp - for services running on node-js

Most services on the portal are expected to run as public access services (i.e. unautenticated), some services will likely be authenticated. e.g. for paid content , for registering for notifications etc. Such services will be authenticated via a middleware implemented on node-js which will broker the requests to the underlying service requiring authentication.

We propose running such authenticated services under the /gwa root path. The middleware authentication / authorizing layer will query keycloak for token validity and verify credentials submitted by the user before forwarding requests to the authenticated service.

[kohsah]

This has been implemented, its an express js middle-ware that introspects the authentication token and generates a failure if the user isnt permitted. Needs to be explicitly applied to specific routes. : https://github.com/gawati/gawati-auth-middleware

[ccsmart]

We might try to advertise this one upstream to possibly get some visibility / support.

[kohsah]

@ccsmart certainly, need to add some documentation. its published on npm : https://www.npmjs.com/package/gawati-auth-middleware