MapStore2 icon indicating copy to clipboard operation
MapStore2 copied to clipboard
verified publisher icon geosolutions-it

Integration of OPEN ID basic support in Geostore

Open ale-cristofori opened this issue 3 years ago • 7 comments

Description

Within the GEOFIT OPEN ID integration epic, the goal of this new feature is provide an authentication/authorization workflow using OPEN ID protocol. In order to support the configuration in MapStore, a dedicated Java library needs to be used on the MapStore backend side, that will handle the configuration and authentication process separately from the basic OpenId Connect implementation.

OPEN ID authentication/authorization workflow will plug into the existing Geostore workflow, there will be a new build profile for Geostore to support OPEN ID. The solution workflow will be similar to the already existing one of Geostore when an authentication/authorization server is in place, for example LDAP. Geostore will mirror users groups and roles from the authentication/authorization server and use them to log and define access permissions to resources in MapStore. The preferred approach at this stage of the development is to design the OPEN ID implementation to work in 'synchronized mode'.

When a user tries to authenticate in the MapStore UI all users and roles provided by OPEN ID are copied into Geostore internal read-only DB, their credentials will be check and their role will be authorized according to the associated role provided by the OPEN ID server.

In case of creation a new user on the identity provider repository. The synchronization of such user and their associated groups and assigned role will take place when they will log onto MapStore the first time.

Acceptance criteria

  • [ ] Users can access MapStore in unauthenticated mode (guest) - this case won't require the OPEN ID geostore integration
  • [ ] Existing user authentication - scenario 1 will log in, the OPEN ID will be able to authenticate the user, synchronize the group said user belongs and assign the MapStore role mapped from OPEN ID for such user.
  • [ ] Existing user authentication - scenario 2 - User might be already authenticated with OPEN ID, for example within a live session of another application, MapStore will recognize the authentication and the user won't need to log in again if accessing MapStore.
  • [ ] OPEN ID authenticated user logs onto MapStore for the first time - scenario 2 - In this case Geostore will create a new user, assign the role and the groups the user belongs based on the information received by the OPEN ID server identity provider. Open ID role for this new user will be mapped to MapStore role (MS_ROLE_ADMIN, MS_ROLE_USER, MS_GROUP_*, etc)

Other useful information

This issue implements the basic support of OPEN ID within Geostore in terms of authentication and correct users/groups/roles DB population. The communication workflow between Geostore and the OPEN ID server will be handled by Keycloak, the design of this workflow is captured in a separate issue.

ale-cristofori avatar May 12 '22 14:05 ale-cristofori

Geostore already implements support for OPEN ID, this was developed within a client downstream project and is included in this Geostore branch https://github.com/geosolutions-it/geostore/tree/C044-branch

@tdipisa, with @taba90 we were discussing whether to merge the features of that branch on the offiicial Geostore. There are currently two releases of Map Store which seem suitable as candidates for this new feature.

a minor 2022.01.02 due on 8/06/2022 and a major 2022.02.00 due on 12/07/2022

Considered the expected delivery of the project (around half July) we would need to clarify whether this geostore feature could be merged into one of the above releases or we would need to create a custom release of Geostore until we decide to include the OPEN ID support later (the OPEN ID workflow to work is dependent on this Geostore support)

ale-cristofori avatar May 19 '22 08:05 ale-cristofori

@ale-cristofori this work is not something that can land in a minor release. It is planned to be released as part of the next major 2022.02.00, here the releases calendar where you can find also all the expected version of involved main dependencies (GeoStore included). These pending PRs in review are scheduled for 2022.02.00 indeed (still in draft mode waiting for the GeoStore updates to be contributed to GeoStore master).

tdipisa avatar May 23 '22 12:05 tdipisa

@taba90 confirmed C044-branch can be ported to geostore master, this is to undraft https://github.com/geosolutions-it/MapStore2/pull/7875 and https://github.com/geosolutions-it/MapStore2/pull/7873 to be merge and be ready for this issue to begin being worked on.

ale-cristofori avatar May 23 '22 13:05 ale-cristofori

working on this

taba90 avatar May 27 '22 13:05 taba90

raised a pr to master

taba90 avatar Jun 06 '22 12:06 taba90

raised a pr to master

Thank you very much (this is the link to the Geostore PR)

ale-cristofori avatar Jun 06 '22 12:06 ale-cristofori

As of today 04/08/2022, the testing of this feature on our dev environment is dependent on time constraints dictated by our resources availability, estimation on the setup of the testing environment has been given by @offtherailz, we are now waiting for any free MapStore resource who can work on this.

see https://github.com/geosolutions-it/MapStore2/issues/8429

ale-cristofori avatar Aug 04 '22 14:08 ale-cristofori

Basic OPEN ID support has been tested with #8434

ElenaGallo avatar Sep 21 '22 09:09 ElenaGallo