Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User Management via OpenID Connect #36

Open
martnst opened this issue Jun 9, 2020 · 4 comments
Open

User Management via OpenID Connect #36

martnst opened this issue Jun 9, 2020 · 4 comments

Comments

@martnst
Copy link

martnst commented Jun 9, 2020

Hi,

in our project we use QIS as our image server, which the users upload images via REST from our React SPA. Currently the app authenticates via a single user which acts as a service account. I am wondering though, if it is possible to connect QIS to our IDM via OpenID Connect. [1]

Ultimately the user would have ownership about his images and we could implement access control bases on permissions managed via the IDM. The user's profile picture for example could be private for example, whereas images the of something like a blog post [2] would be visible to. any logged in user.

Bests,
Martin

[1] We use Keycloak as IDM.
[2] just an example
@qururoland
Copy link
Contributor

We have successfully used ActiveDirectory, Red Hat IDM/389/OpenLDAP and cloud services like JumpCloud for authentication in QIS. We also spent quite a bit of time working on a solution to automatically secure images to one (or more) known users but that was a couple of years ago. This was for users to upload images of their high value works of art and to then control which other users they would let see the image.

I will have a hunt through the code and documentation to see what I can find of this work and will let you know.

@martnst
Copy link
Author

martnst commented Jun 10, 2020
edited
Loading

As fair as I know Keycloak only has capabilities federate user from ActiveDirectory and LDAP, but does not acts as a source for other systems. Hence, my idea to use OpenID connect.

@qururoland
Copy link
Contributor

Project lead coder fozcode has spent some time on OpenID Connect on another project. It's based on OAuth 2, the standard that one of the original designers resigned from because industry pressure made it too complicated to implement safely.

But the gist of it is that you authenticate with a 3rd party and the 3rd party gives you 3 tokens, one saying who you are, one saying what your application permissions are (defined on their side), and one for renewing the tokens before they expire.

QIS would need something like we already did here:
#27

Whereby if they're not authenticated we redirect away to the 3rd party login page, and that redirects back to QIS with the tokens. QIS would then need to check the 3rd party tokens for expiry as part of its middleware, and have a link between the 3rd party token and its own user database, e.g. with the username or email address embedded inside the token.

Is this the sort of thing that you are thinking about?

@martnst
Copy link
Author

martnst commented Jun 11, 2020

Hi Roland, yeah that sound about right to me.

The redirect flow would not be need in our case where our React frontend would only talk to the QIS REST API. Instead of getting a token from QIS the frontend would come with an OIDC auth token right away. However I could Imagine this would be needed you one would want to use a OPID Connect based IDM to kinda not use the QIS own user management at all.

Best, Martin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martnst @qururoland