Camunda Authorization with Spring Security and JWT - camunda

I am using the camunda spring-boot-starter and running the embedded camunda engine.
For Authentication, we are using a JWT token and the user information exists in an outside database. From Camunda docs, what I understood is that, for Camunda Authorization like assigning A User Task to a user, will totally depend on the Camunda Database.
How should I use an outside user authenticated with an external system, for the Authorization purpose in the Camunda? Should I create a copy of the authenticated user in the Camunda Database?

As part of the authentication you can also tell Camunda which groups/roles the user belongs to. For instance as shown in this generic simple Spring Security example: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso
specifically: https://github.com/camunda-consulting/code/blob/4a609b375c6564838e85a1bde7d70e5a9951ab64/snippets/springboot-security-sso/src/main/java/com/camunda/demo/filter/webapp/SpringSecurityAuthenticationProvider.java#L35
Another mechanism uses a custom identity provider (read-only or writable) as explained here: https://docs.camunda.org/manual/latest/user-guide/process-engine/identity-service/#custom-whitelist-for-user-group-and-tenant-ids
It is correct that the default implementation is the database identity service, which uses the engine database for managing users and groups.
However, this is only the case if no alternative identity service implementation is provided. Camunda also provides an LDAP identity service for an LDAP-based user/group repository and you can of course implement your own.
Once you have an authenticated user and user group information for the user, the detailed functional permissions are linked to these groups as shown here: https://docs.camunda.org/manual/latest/webapps/admin/authorization-management/
You don't have to manage users in Camunda and or to sync with another system. If user's authorizations (groups, roles) should be fetched from another system, then use the SPI mentioned above. Either way you don't need to create the users in the Camunda DB. When a request comes in you may set the user and its roles on the IdentityService. In your subsequent API usage the user id and the authorization will be considered (if auth is enabled). If authorizations are disabled, then you only need the user id, not the groups/roles. If you want to provide neither and handle everything in your custom code, then you can just complete task without the user's Id (but won't have the user info in the audit information).

Related

How do I manage google groups and modify user attributes without domain wide delegation?

I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.

Flask authenticantion. How to inform the user logged in the client to the server

I am creating a flask app to be used internally in my company. I would like to restrict what a user can do it based on its login ID. I read a lot about using LDAP3 but I don't think I can do what want which send the login ID to the server. There I would have a table which will register which part of the system has the permition to edit. If it try to change somenthing not permited the app will retrieve a warning message.
I won't to do that to avoid having to create a separate login functionality just for this app. I read that I should use AD authentication but I am not very familiarized with that and I would also like to avoid having to ask our IT department to create user groups there for each part of my system.
I know that I can do that using ASP .NET (at least I did once).
Any guidance will be apreciated.
I think you are looking for Role-based Authorization.
In order to use this functionality you will need to implement roles on your model file per the Data-models documentation.
This will allow you to assign users a role when they are created, and you can use a decorator on your routes to 'require' the user to have the role you want them to have before they access the endpoint.

WSO2 - Get active sessions for user

We are using WSO2 for authentication (SAML/SSO).
I don't know how to tell if a user is already logged in (in order to prevent concurrent logins). Other SO questions have indicated this is possible to know both with WSO2 IS Analytics and without. I would prefer to not have to run WSO2 IS Analytics as well (this is alluded to here, but never clarified. Further, I can see the IDN_AUTH_SESSION_STORE table being populated and referred to during login, but that is using SESSION_ID (which is passed by the commonAuth cookie).
So I'm looking for a direct answer to this question: during the Auth flow, how can we tell if the given user is already logged in?
Without using the analytics, querying logged in user sessions by a user is not supported out of the box in WSO2 Identity Server. Let me explain why.
When a user authenticates with the WSO2 Identity Server, a session is created. These sessions are stored as session context objects, against the commonAuthId cookie in WSO2 implementation. Information about the logged in user is inside these session objects. Therefore if we want to get the session for a particular user, we have to query all active sessions and go through all of them one by one matching the user.
As an alternative, you can write a custom data publisher module which persists session data against each user and then you can use these data to prevent concurrent logins. I have a blog post written for this exact use case.
Hope this helps.

WSO2 IS Secondary userstore from ldap explorer

I have wso2 IS 5.3.0 with several user stores. I want to connect my app to the embebed ldap and access the user in the secondary user stores, but I only see the users in the primary user store.
How I can see the user in the secondary user stores con connect an application to the WSO2 IS ldap?
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
Please follow this documentation[1] to configure multiple secondary user stores with WSO2 IS 5.3.0. Yes you can add multiple user stores to Identity Server and let the applications from outside see those as a single user store through Identity Server.
[1] https://docs.wso2.com/display/IS530/Configuring+Secondary+User+Stores
May I use some specific configuration to connect to the ldap to can see the whole set of users?
Multiple user stores are completely separate, their own users, realm name, etc. In theory - your application you could use WSOIS API to access user information (with the realm prefix, such as usenr identity is userstore_realm\username
But as it is already mentioned in the comments, you don't see multiple LDAP stores as a single LDAP
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
What could you do is "inbound" user provisioning. Effectively when a user is authenticated (using an external IS, secondary userstore, ...), the user could be provisionined ( imported ) to the primary userstore
Though it is possible, I won't recommend this approach as you will have duplicates out of control (e.g. when reseting the password)

Django-Socialauth - How to associate multiple authentication providers to a single user account

Django-Social in its feature list claims that it supports associating multiple authentication providers to a single user account.
I can't seem to figure out how to use that feature.
When I try to login using a new authentication provider it automatically seems to be creating a new account for each provider.
Any ideas?
Sarvi
Take a look to django-social-auth, it's simpler and easier to setup than Django-Socialauth.
Multiple account association is supported but limited to logged in users to avoid the decision of which user instance must be removed.
it supports associating multiple authentication providers to a single user account
By looking at the code for models.py here, socialauth has a UserProfile for each provider, associating them to the User object which you use for basic authentication. So indeed, what it claims is true.
It can be done manually through admin once you have logged in with multiple accounts. Then the Socialauth models for the accounts can be adjusted to point at the User they are required too and multiple accounts can point to the same user.
But I have not had a good enough look to work out how to let users do this automatically for themselves. It does not work out of the box if you sign in to another account if while already signed into an existing account.