Handling Authentication in Map Storage #10833

ahus1 · 2022-03-21T10:50:27Z

ahus1
Mar 21, 2022
Collaborator

Problem statement

The current authentication for users in Map storage rely on credentials that are saved in the store and then validated on the logical layer, see #9932.

As for LDAP credentials are not accessible, and passwords are sent to LDAP for validation.

Approach

The validation of the CredentialInput could be done on the physical layer (in the Map LDAP module), and the input would be sent down there for validation.

Benefits

Once the user has been looked up, this can be called directly on the user model.

Alternatives

Use the existing APIs and pass only a LdapMapUserCredentialEntity upwards that
Use an IdentityProvider instead for authentication. Downside is that those don't allow for changing crendentials in their current design

ahus1 · 2022-03-21T10:56:14Z

ahus1
Mar 21, 2022
Collaborator Author

To explore how the user model can be extended, there is a branch here: https://github.com/ahus1/keycloak/tree/9931-move-authenticate-call-to-user-model -- it is built on top of the current WIP user LDAP map support.

This will log in a user with the hard-coded password “anything” in this POC (see LdapUserEntity).

It shows that this can be added to the existing APIs without breaking existing functionality. Existing functionality could later be deprecated once the new way proves itself to work as expected.

LdapUserEntity has access to the current transaction and the LDAP configuration. Having access to the LDAP configuration would be sufficient to validate the user's credentials.

1 reply

ahus1 Mar 22, 2022
Collaborator Author

There are now new commits on the branch that introduce a SingleUserCredentialManager that allows to move over the full functionality of UserCredentialManager. Other methods will move over eventually as development continues. A similar construct will appear on the entity level as well.

ahus1 · 2022-03-23T07:57:47Z

ahus1
Mar 23, 2022
Collaborator Author

After talking to @hmlnarik on Monday, credential handling should handed in a separate class.

UserCredentialManager should eventually disappear, as all interaction will then be focused on a user.

This is now present in the branch listed above, including the integration with LDAP for updating and validation passwords.

old:

new:

0 replies

ahus1 · 2022-03-23T17:42:45Z

ahus1
Mar 23, 2022
Collaborator Author

This has been discussion and generally approved in today's team meeting. The code changes are now part of PR #10700.

1 reply

ahus1 Mar 23, 2022
Collaborator Author

archived

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Handling Authentication in Map Storage #10833

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Handling Authentication in Map Storage #10833

Uh oh!

ahus1 Mar 21, 2022 Collaborator

Problem statement

Approach

Benefits

Alternatives

Replies: 3 comments · 2 replies

Uh oh!

ahus1 Mar 21, 2022 Collaborator Author

Uh oh!

ahus1 Mar 22, 2022 Collaborator Author

Uh oh!

ahus1 Mar 23, 2022 Collaborator Author

Uh oh!

ahus1 Mar 23, 2022 Collaborator Author

Uh oh!

ahus1 Mar 23, 2022 Collaborator Author

ahus1
Mar 21, 2022
Collaborator

Replies: 3 comments 2 replies

ahus1
Mar 21, 2022
Collaborator Author

ahus1 Mar 22, 2022
Collaborator Author

ahus1
Mar 23, 2022
Collaborator Author

ahus1
Mar 23, 2022
Collaborator Author

ahus1 Mar 23, 2022
Collaborator Author