Estimate effort to add filter allowing sandbox access only to a subset of users ("enterprise")

Description

None

Activity

Show:
Gopal Menon
October 22, 2020, 8:42 PM

Preston added a role called member to the Development and test realms. I ran the application on my local environment. The tokens did not have the role I was looking for. I tried the following in Postman.

POST request to https://id-test.logicahealth.org/auth/realms/Development/protocol/openid-connect/token with the following key and value pairs in the body

Key

Value

grant_type

password

client_secret

1f2edaa3-462c-45c0-b40c-4cc63de9bfd7

client_id

reference-auth

username

gopal

password

<my password>

I got an access_token as part of the responce. I looked at the payload of the token and saw the following:

{
"exp": 1603427546,
"iat": 1603398746,
"jti": "5dde54f9-6054-4e09-b9b4-38741380719c",
"iss": "https://id-test.logicahealth.org/auth/realms/Development",
"aud": "account",
"sub": "7be43e3c-4293-4342-807c-b851cc59e69c",
"typ": "Bearer",
"azp": "reference-auth",
"session_state": "d6402fc2-303d-46e4-b166-95bde14e4a03",
"acr": "1",
"allowed-origins": [
"http://localhost:8060/"
],
"realm_access": {
"roles": [
"offline_access",
"member",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "email profile",
"email_verified": false,
"name": "Gopal Menon",
"preferred_username": "gopal",
"given_name": "Gopal",
"family_name": "Menon",
"email": "gopal@interopion.com"
}

member is one of the realm_access roles. An enterprise user will have member in the roles.

Gopal Menon
October 26, 2020, 3:54 PM

Need to investigate what Keycloak API calls are available that can be used to retrieve a list of user roles. Or we need to see if we can change Keycloak settings to return user roles at the time of authentication. There may be some code we can use from Interopio since it is somewhat similar to the sandbox and must already have the ability to allow only paid users in.

Gopal Menon
November 3, 2020, 12:06 AM
Edited

Sent the estimate of 2 weeks to the team.

Later, while doing further investigations, I was able to get this to work and reject users who do not have “member” in their Keycloak roles.

Gopal Menon
November 3, 2020, 7:58 PM
Edited

I separated out the error messages for non-enterprise user and a generic server error.

Also verified that non-enterprise users are able to access open endpoints. Secured endpoints still only work with a bearer token.

Gopal Menon
November 5, 2020, 5:59 PM

In the IPM today Scott said that non-enterprise users will be shown a page with details on how to become members. That page is still being worked on. Also that all users will probably be temporarily made enterprise users for now and then when the time comes to restrict access, only the real enterprise users will have the role “member” associated with their logins.

Assignee

Gopal Menon

Reporter

Nikolai Schwertner

Labels

None

Priority

Major
Configure