Open spleshka opened 6 years ago
Initial tech concept for SSO:
API Bus should just proxy all requests from frontend to SSO Drupal instance as I understand.
Does this mean that we need to implement some kind of auth mechanism in all backend apps and services we have?
Maybe process should look like something this:
Frontend -> API Bus(token request) -> SSO -> API Bus -> Frontend (Token received) -> API Bus (Auth request) -> some backend service -> SSO (actual auth) -> some backend service -> API Bus (user data received) -> Frontend (user authenticated).
I am not sure about this yet. This is something we need to make decision according to what our needs are.
Hi @otarza, thanks for thorough plan. Can you tell me what are your thoughts on these Qs:
Hi @spleshka,
Here is what I think for now:
Hi @otarza ,
- Backend services should use auth token provided by frontend and send it to SSO to to authenticate, if token is valid SSO(simple_oauth) will return user data + info about roles and permissions.
You can't have such complicated trip for every request. Otherwise, the performance will be aweful. There shoudl be a solution to make the request to the SSO only when it's needed, not on every request.
I agree about the "proxy" users. We don't need to copy the permissions - only the roles. The permissions will be set to certain roles per backend app.
Why don't we try to set domain-level cookie for all backend apps (including SSO and API bus)? Then once a user authenticated against sso and the cookie is set, we can authenticate him against all other backend apps using the same cookie. So SSO's cookie with auth data should be accessible for all backend apps, though every app will have its own cookie domain for authentication token within the app (but SSO's cookie is accessible for everyone).
Hi @spleshka,
Can you update the concept / tasks based on the latest conversation and get started with the proof of concept implementation?
@otarza actually, I think we can just close this issue and create a new one to run proof of concept.
@spleshka yes we can create one parent Issue but it will be a big one, after that we should break it down to smaller ones.
Terminology:
SSO
Frontend
Authenticate against SSO. SSO should send back ticket ID, expiration and user name.
Frontend to include ticket number alongside with every request to backends
Frontend to revalidate ticket connection before request to the backend if it expires
Ticket number and expiration to be stored in cookies:
Think through security implications. Instead of cookies it can be stored in browser storage.
Any D8 microservice
Workflows
Initial authentication from the frontend
Making authorized requests to the backend
Authentication of FE request against backend
User update (status or roles). Close active SSO session. D8 microservices will pull the new info next time the new ticket ID was sent from the frontend.
Authentication from backend services
Log out
Other notes