Use keycloak authentication for the deposit
Closed, MigratedEdits Locked
Actions

Assigned To

Authored By

	ardumont
	Dec 7 2020, 11:27 AM

Description

The deposit is using django and a simple basic authentication scheme so far (compliant to the sword v2 specification).

Investigate how to continue offering such basic authentication in coordination with keycloak.

Revisions and Commits

rDENV Development environment
	D5203	rDENVdabe1c91f3fd keycloak_swh_setup: Assign swh.deposit.api role to hal user
rDDEP Push deposit
	D5361	rDDEP82e56c9e3bba docs: Add a reference authentication page to explain auth schemes
	D5343	rDDEP39f3aef89278 docs/sys-info: Update deployment documentation
	D5291	rDDEP6773775acfcb Allow to configure authentication mechanism per config file
	D5137	rDDEP27efcccbfaea Delegate authentication to keycloak
	D5228	rDDEP4353a323f6e0 tests: Start testing migration scripts
rDSNIP Code snippets
	D5279	rDSNIP5162e8e1c5c0 keycloak: Install users to keycloak instance
rSPSITE puppet-swh-site
	D5284	rSPSITE9cb4154b4519 deposit: Configure deposit to use keycloak in staging
	D5250	rSPSITEfc6a5a5ac9f9 keycloak: Add swh-deposit client in staging realm
rDAUTH Common authentication libraries
	D5304	rDAUTH45ec395cce8f auth.pytest_plugin: Adjust error type according to reality
	D5281	rDAUTH57583d2bcc3f django.utils.oidc_user_from_decoded_token: Relax fields constraint
	D5243	rDAUTH148c9d4f3fae utils: Use iat field as fallback when auth_time is not provided
	D5233	rDAUTH9d1659b938e7 swh.auth.pytest_plugin: Install missing side-effect for login method
	D5230	rDAUTHacf199d61c53 swh.auth.pytest_plugin: Make decoded_token consistent with user_info

Related Objects
Search...

Status	Assigned	Task
Migrated	gitlab-migration	T3128 Improve deposit integration, management and display
Migrated	gitlab-migration	T2858 Use keycloak authentication for the deposit
Migrated	gitlab-migration	T3079 Boostrap swh-auth module for authentication
Migrated	gitlab-migration	T3166 Deploy deposit v0.13 in staging

Event Timeline

ardumont triaged this task as Normal priority.Dec 7 2020, 11:27 AM

ardumont created this task.

ardumont mentioned this in T2714: Discuss the design on how to open client accounts for the deposit .Dec 14 2020, 3:04 PM

Discussion on deposit sprint with @ardumont and @anlambert

login / mdp classic (not most secured)
authentication by token
create account for each application and give permissions depending on the account
to give permission for the deposit functionality an admin needs to change the account permission
we don't want to break the existing usage (login /mdp)

> use login/mdp

you get the login/mdp in headers from clients,
the server will send it to keycloak

authentication backend (which is used in swh-web

direct grant (Oauth) open ID connect

First step: change the existing clients and create their accounts (in keycloak)
Test in Docker
Second step: transfer to client's account in staging

direct grant (Oauth) open ID connect

Also known as "Resource Owner Password Credentials" [1]

(RFC [2] has an ascii graph detailing the mechanism)

Details:

deposit client provides credentials to the deposit server

deposit server forwards credentials to check the client authentication against keycloak

keycloak accepts connection and provides a token to the deposit server. The client is now connected.

deposit drops the client's credentials (no longer uses them).

As the deposit client is now connected, the deposit can proceed as usual.

Alternatively if the authentication fails (keycloak refuses connection), deposit forwards a 401 as before.

[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_resource_owner_password_credentials_flow
[2] https://tools.ietf.org/html/rfc6749#section-4.3

ardumont changed the task status from Open to Work in Progress.Feb 23 2021, 2:30 PM

ardumont moved this task from Backlog to In progress on the SWORD deposit board.

ardumont mentioned this in P961 docker: deposit-keycloak: connection ok.

ardumont mentioned this in rDENV11b018899cff: keycloak: Add deposit container to keycloak docker compose.Feb 23 2021, 5:37 PM

ardumont added a revision: D5137: Migrate deposit to use keycloak as authentication mechanism.Feb 24 2021, 4:57 PM

ardumont added a subtask: T3079: Boostrap swh-auth module for authentication.Mar 4 2021, 7:00 PM

ardumont changed the status of subtask T3079: Boostrap swh-auth module for authentication from Open to Work in Progress.

ardumont added a revision: D5203: keycloak_swh_setup: Assign swh.deposit.api role to hal user.Mar 5 2021, 2:51 PM

ardumont added a commit: rDENVdabe1c91f3fd: keycloak_swh_setup: Assign swh.deposit.api role to hal user.Mar 5 2021, 3:46 PM

ardumont claimed this task.Mar 8 2021, 6:23 PM

ardumont added a revision: D5228: tests: Start testing migration scripts.Mar 10 2021, 10:07 AM

ardumont added a commit: rDDEP4353a323f6e0: tests: Start testing migration scripts.Mar 10 2021, 10:48 AM

ardumont closed subtask T3079: Boostrap swh-auth module for authentication as Resolved.Mar 10 2021, 1:04 PM

Currently, the deposit migration scripts are not tested. Which would have been hard to
be serene about the future keycloak change.

So a new dependency grew in the test requirements and some tests got started to actually
test some migrations. Dependency added in D5228.

That module was not packaged for debian. It is now in the swh debian repository. And,
it's our jenkins instance which does the build [1] (v1.1.0 [2]).

To ensure it works as expected with the deposit, an intermediary deposit release got
specifically built to ensure the tests are now fine with that dependency (v0.11.1 [3]).

And it is (in one round for both, no less \o/).

unstable:

12:58:48  swh/deposit/tests_migration/test_migrations.py::test_migrations_20_rename_swhid_column_in_deposit_model PASSED [ 60%]
12:58:48  swh/deposit/tests_migration/test_migrations.py::test_migrations_21_add_origin_url_column_to_deposit_model PASSED [ 60%]

stable (backport):

13:00:40  swh/deposit/tests_migration/test_migrations.py::test_migrations_20_rename_swhid_column_in_deposit_model PASSED [ 99%]
13:00:41  swh/deposit/tests_migration/test_migrations.py::test_migrations_21_add_origin_url_column_to_deposit_model PASSED [100%]

So now, we shall be able to test our schema migrations in the deposit!

Starting with the new keycloak changes. So some delay to deliver this but for the good cause!

[1] https://forge.softwareheritage.org/source/python3-django-test-migrations/
[2] https://jenkins.softwareheritage.org/job/debian/job/deps/job/PTDTM/job/gbp-buildpackage/
[3] https://jenkins.softwareheritage.org/job/debian/job/packages/job/DDEP/job/gbp-buildpackage/

ardumont added a revision: D5230: swh.auth.pytest_plugin: Make decoded_token consistent with user_info.Mar 11 2021, 3:55 PM

ardumont added a commit: rDAUTHacf199d61c53: swh.auth.pytest_plugin: Make decoded_token consistent with user_info.Mar 11 2021, 4:10 PM

ardumont mentioned this in rDENV6f30f45134aa: keycloak_swh_setup: Provide an email to the deposit user.Mar 12 2021, 10:00 AM

ardumont added a revision: D5233: swh.auth.pytest_plugin: Install missing side-effect for login method.Mar 12 2021, 10:38 AM

ardumont added a commit: rDAUTH9d1659b938e7: swh.auth.pytest_plugin: Install missing side-effect for login method.Mar 12 2021, 10:41 AM

ardumont mentioned this in rDENV5c3137c5ac8a: keycloak_swh_setup: Align test user with the existing deposit setup.Mar 12 2021, 2:53 PM

ardumont added a revision: D5243: utils: Use iat field as fallback when auth_time is not provided.Mar 13 2021, 10:45 AM

ardumont added a commit: rDAUTH148c9d4f3fae: utils: Use iat field as fallback when auth_time is not provided.Mar 15 2021, 2:04 PM

ardumont added a revision: D5250: keycloak: Add swh-deposit client in staging realm.Mar 15 2021, 5:32 PM