-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
✨(api) allow multiple authentication backends simultaneously
Previously, Ralph allowed Basic or OIDC authentication, but not simultaneously. This PR allows to ralph to handle both at once, answer a use case where machine users connect through Basic auth, while human users use OIDC (for example).
- Loading branch information
Showing
19 changed files
with
337 additions
and
195 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -108,9 +108,10 @@ $ curl --user [email protected]:PASSWORD http://localhost:8100/whoami | |
|
||
Ralph LRS API server supports OpenID Connect (OIDC) on top of OAuth 2.0 for authentication and authorization. | ||
|
||
To enable OIDC auth, you should set the `RALPH_RUNSERVER_AUTH_BACKEND` environment variable as follows: | ||
|
||
To enable OIDC auth, you should modify the `RALPH_RUNSERVER_AUTH_BACKENDS` environment variable by adding (or replacing by) `oidc`: | ||
```bash | ||
RALPH_RUNSERVER_AUTH_BACKEND=oidc | ||
RALPH_RUNSERVER_AUTH_BACKENDS=basic,oidc | ||
``` | ||
and you should define the `RALPH_RUNSERVER_AUTH_OIDC_ISSUER_URI` environment variable with your identity provider's Issuer Identifier URI as follows: | ||
```bash | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,51 @@ | ||
"""Main module for Ralph's LRS API authentication.""" | ||
from typing import Optional | ||
|
||
from ralph.api.auth.basic import get_basic_auth_user | ||
from fastapi import Depends, HTTPException, status | ||
from fastapi.security import SecurityScopes | ||
|
||
from ralph.api.auth.basic import AuthenticatedUser, get_basic_auth_user | ||
from ralph.api.auth.oidc import get_oidc_user | ||
from ralph.conf import settings | ||
from ralph.conf import AuthBackend, settings | ||
|
||
|
||
def get_authenticated_user( | ||
security_scopes: SecurityScopes = SecurityScopes([]), | ||
basic_auth_user: Optional[AuthenticatedUser] = Depends(get_basic_auth_user), | ||
oidc_auth_user: Optional[AuthenticatedUser] = Depends(get_oidc_user), | ||
) -> AuthenticatedUser: | ||
"""Authenticate user with any allowed method, using credentials in the header.""" | ||
if AuthBackend.BASIC not in settings.RUNSERVER_AUTH_BACKENDS: | ||
basic_auth_user = None | ||
if AuthBackend.OIDC not in settings.RUNSERVER_AUTH_BACKENDS: | ||
oidc_auth_user = None | ||
|
||
if basic_auth_user: | ||
user = basic_auth_user | ||
auth_header = "Basic" | ||
elif oidc_auth_user: | ||
user = oidc_auth_user | ||
auth_header = "Bearer" | ||
else: | ||
auth_header = ",".join( | ||
[ | ||
{"basic": "Basic", "oidc": "Bearer"}[backend.value] | ||
for backend in settings.RUNSERVER_AUTH_BACKENDS | ||
] | ||
) | ||
raise HTTPException( | ||
status_code=status.HTTP_401_UNAUTHORIZED, | ||
detail="Invalid authentication credentials", | ||
headers={"WWW-Authenticate": auth_header}, | ||
) | ||
|
||
# At startup, select the authentication mode that will be used | ||
if settings.RUNSERVER_AUTH_BACKEND == settings.AuthBackends.OIDC: | ||
get_authenticated_user = get_oidc_user | ||
else: | ||
get_authenticated_user = get_basic_auth_user | ||
# Restrict access by scopes | ||
if settings.LRS_RESTRICT_BY_SCOPES: | ||
for requested_scope in security_scopes.scopes: | ||
if not user.scopes.is_authorized(requested_scope): | ||
raise HTTPException( | ||
status_code=status.HTTP_401_UNAUTHORIZED, | ||
detail=f'Access not authorized to scope: "{requested_scope}".', | ||
headers={"WWW-Authenticate": auth_header}, | ||
) | ||
return user |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.