DEB-1317 Role authenticator simplifications (!78) · Merge requests · digibib / deich2

Tom Adam requested to merge DEB-1317-RoleAuthenticator-simplifications into master Jun 14, 2023

Goal: Simplify role based client access check. As of today the roles are explicitly declared for each RoleAuthenticator configuration (maybe 10 instances). If all role check is based on client level roles, RoleAuthenticator only needs the client id to check if a given user has enough roles to access a client. This removes 3 config parameters from RoleAuthenticator config. In addition if a new role is introduced (f.ex. in Assist/LMS), all Assist/LMS related RoleAuthenticators must be updated, otherwise users with the new roles o not get access. This is bad design, and a fragile solution. I wonder, who did it? 😄 The suggested changes overcome this problem, since the roles can be fetched using the client ID, so any newly introduces roles will be taken care of automagically.

Required changes:

A new client role, DEICH_BORROWER needs to be added to the deichman.no client in Keycloak
- needs to be a composite role
- add BORROWER realm role as part of the created DEICH_BOROWER composite role
Stop Keycloak, and run SQL statements as detailed in the JIRA task.

Redeployment of following artefacts is needed:

keycloak
deichman.no
proxy
fuge
tjenestekatalog

DEB-1317 Role authenticator simplifications

Merge request reports