Require authentication for SCIM requests #19009
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NobodysNightmare
changed the title
NobodysNightmare
force-pushed
the
scim-authentication
branch
from
4386bde to
8c84651
Compare
NobodysNightmare
force-pushed
the
feature/62107-add-scim-server-api
branch
from
76d2f38 to
e88d87a
Compare
NobodysNightmare
force-pushed
the
scim-authentication
branch
2 times, most recently
from
260dd42 to
8836987
Compare
This will be required to use warden for our SCIM endpoints as well,
which are implemented in rails controllers. Since Rails controllers do
not support mounting rack middlewares partially (the way that e.g. Grape does),
the mounting of warden needed to be moved.
This was not super straight-forward, because of load order issues:
* Requiring a Rails middleware must be done before initialization finished
* Our warden config was so far done _after_ initialization
* static_routes were defined in lib, which is automatically reloaded,
but auto-reloading code is not allowed during initialization
* lib_static which is autoloaded_once is fine during init,
this is also where the rest of warden authentication is defined
Additionally warden was configured to not handle HTTP 401 responses generated
by the upstream app itself. Warden will only be responsible for its own authentication
failures and it's still possible to invoke the warden failure app by throwing the :warden
symbol, but the application keeps its capability of responding with custom 401 responses.
NobodysNightmare
force-pushed
the
scim-authentication
branch
from
8836987 to
08733f5
Compare
Handling authentication through our regular warden strategies. Permissions-wise the only thing we can check for is whether the authenticated user is an admin. Though this will require us to grant admin privileges to all SCIM clients, which might be more than we want to do.
NobodysNightmare
force-pushed
the
scim-authentication
branch
from
08733f5 to
518cde3
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Handling authentication through our regular warden strategies. Doing this required to make warden available to the Rails stack as well. This was not super straight-forward, because of load order issues:
Ticket
https://community.openproject.org/work_packages/62592/activity
Notes
I'd like to avoid overwriting internal scimitar methods entirely. I opened an upstream issue in that regard, maybe this opens some ideas for API changes: pond/scimitar#158
Dependencies