-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mapping OIDC groups to INCEpTION's internal roles #4941
Comments
Actually, INCEpTION has no concept of groups. We have global roles like I don't think it would be sensibel to try deferring the project roles to an external mechanism. |
Thanks for your quick reply and your clarification @reckart! I've updated the Issue title to avoid any confusions. It doesn't seem very different from what you're doing with your external preauth mechanism though? I mean, in that configuration, you can already assign roles to a user according to a header, in that case it would be doing the same thing, but based on oauth2's authorization mechanism, from a claim in the token, rather than a header parameter. |
External pre-authentication does only that - authentication. INCEpTION does currently not support external authorization mechanisms. It is possible to override the roles of an externally authenticated user using I checked Keycloak. It supports the concept of roles and groups. Roles are mapped to permissions while groups are aggregations of users. INCEpTION does not have the concept of groups to aggregate users. It does have the concept of roles (global and per-project). Keycloak allows to define per-client roles. So if you set up INCEpTION as a client in Keycloak, then you could e.g. define the per-client roles |
Thank you for the feedback I agree to say that authentication and authorization are of course two different mechanism, but am not sure about your example - if I take this example from the pre-auth part of your documentation : auth.mode = preauth
auth.preauth.header.principal = remote_user
auth.preauth.newuser.roles = ROLE_PROJECT_CREATOR
auth.user.Franz.roles = ROLE_ADMIN That's literally RBAC access, when you map a role to a user. In this specific case, we're even granting admin permission to the user Franz, so to me you're effectively deciding the scope of what privileges an authenticated user can have - which looks like authorization to me. I fail to see why it's an issue to map a role to a group of user when it's already a possibility for one specific user - is it because INCEpTION doesn't manage groups of users, and you dont like the idea of inheriting groups from an SSO (plugged to an AD), because those are not hardcoded in the DB? To reframe the issue :
How do I setup my INCEpTION deployments to bind each project's user groups to their corresponding instance of INCEpTION, while insuring that admins can have the correct group in every deployments? |
Typically, there is a single deployment shared between all users. Please mind that every deployment requires its own dedicated database and file system - you cannot share databases and file systems between instances. |
That is correct, it is authorization. But the authorization does not come from an external system. It is part of the configuration files of INCEpTION in this case.
As I said, INCEpTION does not have a concept of user groups, so it is not possible to assign a role to a group of users. What you are asking is that I implement a mechanism that dynamically assigns a role to a user based on some claim in the authentication token. You would then want to put a claim into that token that indicates the group membership and the mechanism on the INCEpTION side would need to see that token and then dynamically add the user role. That means, I would need to implement a quite flexible mechanism like It would be much simpler for me if there was a mapping mechanism outside of INCEpTION that already prepares the role assignment as INCEpTION needs it. So if you could put into your claim something like |
Ok, I thought it would be the case. We're using our Kubernetes to deploy separate instances with our gitops cd workflow, so the deployments are separated. Unfortunately, laws regarding segregation of access to the data makes it hard in our case to deploy a "one-deployment-fits-all" case. |
As long as you fully segragate your deployments, it is fine. I am just mentioning it because some users have tried to run multiple INCEpTION instances against the same database and file system - basically trying to share the data layer across multiple INCEpTION instances - and that is not supported. An INCEpTION instance expects that it has exclusive access to its database and filesystem and will cache certain things in memory assuming that no parallel instance or external process will make any modifications. |
I can see two limitations with that approach :
I can totally see the issue though, that's no small development. One question : If I can set in the setting file the mapping in that fashion :
Wouldn't it be possible on Spring Security side to get the value of the I guess it's like what you're doing in pre-authentication mode, unless you would get the group from that mapping done in the config file rather extracting it from a header - in both cases noting is store in DB so you don't have to create a whole new user groups model |
Thank you for the effort you've put to see this through. I took the time to browse a bit your codebase (last time I worked with Spirng Security was years ago!), and if I understand things correctly :
As for what you're pointing with Keycloak, that would demand to create roles and permissions inside Keycloak. It's a valid suggestion, not applicable in our case as we're using Keycloak to gather groups from our Active Directory, so we can't create roles and authorizations in two different places. |
@kzgrzendek Would you like to propose a code change? |
I could have a look at it once I will be done with what I'm working on atm - it might need a bit of back and forth since I'm not familiar with the codebase |
Hello,
I would like to suggest a feature regarding the mapping of OIDC/OAUTH2 groups (when this authentication mode is enabled) to the internal roles of INCEpTION (
ADMIN
,USER
, etc.)Context
I'm working for the Greater Paris University Hospitals, and we would like to propose INCEpTION as our go-to text annotation tool for our users, as part of our 'Health Data Warehouse' offer (link content in French only, unfortunately).
As you can guess, we are tied by very strict legal and industrial obligation, one of them being the obligation to federate the authentication and authorization of our userbase when we provide services.
This implicates that the applications we're deploying, if they need 'internal roles', should be able to map those with pre-existing groups defined in our SSO solution (Keycloak, in our case).
The go-to standard for doing that being to use OIDC/OAUTH2 to fetch those groups in the user's token or with the
userInfo
endpoint, that's the reason why I'm proposing this feature, and I guess we're not the only one with those obligations.Description of the feature
If we simply look at a solution like JupyterHub, we can see that its OIDC module is proposing to set :
c.GenericOAuthenticator.claim_groups_key
)c.GenericOAuthenticator.allowed_group
)c.GenericOAuthenticator.admin_groups
)Implicitly, all users not members of those groups are denied by the application.
Edge cases to bear in mind
I can think of a few edge cases, but you're welcome to add yours as well :
USER
andADMIN
groups, he should be mapped asADMIN
(unless INCEpTION supports having users in several groups!)USER
, and is now in a group mapped toADMIN
, he should appear as anADMIN
in INCEpTION, and no more as aUSER
I'm hoping you'll consider this feature, and am of course willing to discuss about it :)
Thank you
The text was updated successfully, but these errors were encountered: