Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add kratos subject webhook endpoint #945

Open
wants to merge 31 commits into
base: feature/ory-based-authorization
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
50dc20b
Add kratos webhook endpoint for creating subjects through webhook
mpgxvii Aug 28, 2024
d1588ba
Separate out subject, researcher, admin identities
mpgxvii Aug 28, 2024
fc28314
Fix Kratos Identity class
mpgxvii Aug 28, 2024
b81e0fd
Fix formatting
mpgxvii Aug 28, 2024
d95a03b
Remove separate user identity property
mpgxvii Sep 9, 2024
54600d3
Remove kratosId from user dialog
mpgxvii Sep 9, 2024
d9999ef
Send activation email from Kratos directly
mpgxvii Sep 9, 2024
60f0fa4
Add support for projects in Kratos identity
mpgxvii Sep 10, 2024
157b915
Fix getting project in webhook
mpgxvii Sep 11, 2024
6f1110a
Fix scopes
mpgxvii Sep 13, 2024
632052c
Merge branch 'feature/ory-based-authorization' of https://github.com/…
mpgxvii Sep 16, 2024
b5f63b3
Merge branch 'minor-fixes' of https://github.com/RADAR-base/Managemen…
mpgxvii Sep 25, 2024
c4ff72f
Add specify project user id when creating subject
mpgxvii Sep 28, 2024
30ac797
Update Project class to include user id
mpgxvii Sep 28, 2024
580959c
Update subject activation endpoint to use project user id
mpgxvii Sep 28, 2024
932f131
Merge branch 'feature/ory-based-authorization' of https://github.com/…
mpgxvii Sep 30, 2024
fcfe271
Update Authservice and LoginEndpoint configs
mpgxvii Oct 8, 2024
968dae8
Refactor IdentityService to remove similar methods
mpgxvii Nov 25, 2024
a18bc56
Add support for updating identity server with changes in Subject and …
mpgxvii Nov 25, 2024
ac468e4
Rename userService method
mpgxvii Nov 25, 2024
a203098
Save identity id when creating user
mpgxvii Nov 26, 2024
ca378a0
Format SubjectService
mpgxvii Nov 26, 2024
5e52a1f
Fix tests
mpgxvii Nov 26, 2024
f5f9b33
Fix tests
mpgxvii Nov 26, 2024
0ea522d
Wrap updating of identity in try catch block in subject service
mpgxvii Nov 26, 2024
1c27e75
Check IdentityService is enabled before calling methods
mpgxvii Nov 26, 2024
3e83eb4
Fix scopes in login endpoint
mpgxvii Dec 3, 2024
d623939
Update IdentityService to patch existing identity instead of replacing
mpgxvii Dec 12, 2024
a80f662
Remove unnecessary check if IdentityService is enabled
mpgxvii Jan 12, 2025
c0b5c01
Add check for kratos identity before creating subject through webhook
mpgxvii Jan 12, 2025
baa9297
Revert unnecessary changes
mpgxvii Jan 12, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -45,15 +45,21 @@ class KratosSessionDTO(
)

@Serializable
class Identity(
data class Verification(
val id: String? = null,
val type: String? = null
)

@Serializable
data class Identity(
var id: String? = null,
val schema_id: String? = null,
val schema_url: String? = null,
val state: String? = null,
@Serializable(with = InstantSerializer::class)
val state_changed_at: Instant? = null,
val traits: Traits? = null,
val metadata_public: Metadata? = null,
var metadata_public: Metadata? = null,
@Serializable(with = InstantSerializer::class)
val created_at: Instant? = null,
@Serializable(with = InstantSerializer::class)
Expand All @@ -63,16 +69,16 @@ class KratosSessionDTO(


fun parseRoles(): Set<AuthorityReference> = buildSet {
if (metadata_public?.authorities?.isNotEmpty() == true) {
for (roleValue in metadata_public.authorities) {
metadata_public?.authorities?.takeIf { it.isNotEmpty() }?.let { authorities ->
for (roleValue in authorities) {
val authority = RoleAuthority.valueOfAuthorityOrNull(roleValue)
if (authority?.scope == RoleAuthority.Scope.GLOBAL) {
add(AuthorityReference(authority))
}
}
}
if (metadata_public?.roles?.isNotEmpty() == true) {
for (roleValue in metadata_public.roles) {
metadata_public?.roles?.takeIf { it.isNotEmpty() }?.let { roles ->
for (roleValue in roles) {
val role = RoleAuthority.valueOfAuthorityOrNull(roleValue)
if (role?.scope == RoleAuthority.Scope.GLOBAL) {
add(AuthorityReference(role))
Expand All @@ -87,16 +93,31 @@ class KratosSessionDTO(
class Traits (
val name: String? = null,
val email: String? = null,
val projects: List<Project>? = null,
)

@Serializable
class Project (
val id: String? = null,
val userId: String? = null,
val name: String? = null,
)

@Serializable
class Metadata (
val roles: List<String>,
val authorities: Set<String>,
val scope: List<String>,
val sources: List<String>,
val aud: List<String>,
val mp_login: String?
val roles: List<String> = emptyList(),
val authorities: Set<String> = emptySet(),
val scope: List<String> = emptyList(),
val sources: List<String> = emptyList(),
val aud: List<String> = emptyList(),
val mp_login: String? = null,
)

@Serializable
data class JsonMetadataPatchOperation(
val op: String,
val path: String,
val value: Metadata
)

fun toDataRadarToken() : DataRadarToken {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "user",
"title": "user",
"$id": "admin",
"title": "admin",
"type": "object",
"properties": {
"traits": {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "researcher",
"title": "researcher",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 5,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
},
"totp": {
"account_name": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
}
},
"required": ["email"]
}
},
"additionalProperties": false
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "subject",
"title": "subject",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 5,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
},
"totp": {
"account_name": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
}
},
"required": ["email"]
}
},
"additionalProperties": false
}
12 changes: 8 additions & 4 deletions src/main/docker/etc/config/kratos/kratos.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ selfservice:
enabled: true
use: code
after:
default_browser_return_url: http://localhost:3000/consent
default_browser_return_url: http://localhost:3000/study-consent

logout:
after:
Expand Down Expand Up @@ -78,10 +78,14 @@ hashers:
key_length: 16

identity:
default_schema_id: user
default_schema_id: subject
schemas:
- id: user
url: file:///etc/config/kratos/identities/identity.schema.user.json
- id: subject
url: file:///etc/config/kratos/identities/identity.schema.subject.json
- id: researcher
url: file:///etc/config/kratos/identities/identity.schema.researcher.json
- id: admin
url: file:///etc/config/kratos/identities/identity.schema.admin.json

courier:
smtp:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ class SecurityConfiguration
.skipUrlPattern(HttpMethod.GET, "/api/redirect/**")
.skipUrlPattern(HttpMethod.GET, "/api/profile-info")
.skipUrlPattern(HttpMethod.GET, "/api/logout-url")
.skipUrlPattern(HttpMethod.POST, "/api/kratos/**")
.skipUrlPattern(HttpMethod.GET, "/oauth2/authorize")
.skipUrlPattern(HttpMethod.GET, "/images/**")
.skipUrlPattern(HttpMethod.GET, "/css/**")
Expand All @@ -111,6 +112,7 @@ class SecurityConfiguration
.antMatchers("/api/activate")
.antMatchers("/api/sitesettings")
.antMatchers("/api/redirect/**")
.antMatchers("/api/kratos/**")
.antMatchers("/api/account/reset_password/init")
.antMatchers("/api/account/reset_password/finish")
.antMatchers("/test/**")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,12 @@ class AuthService(

suspend fun fetchAccessToken(code: String): String {
val tokenUrl = "${managementPortalProperties.authServer.serverUrl}/oauth2/token"
val clientId = managementPortalProperties.frontend.clientId
val clientSecret = managementPortalProperties.frontend.clientSecret
val authHeader = "Basic " + Base64.getEncoder().encodeToString("$clientId:$clientSecret".toByteArray())
val response =
httpClient.post(tokenUrl) {
headers { append(HttpHeaders.Authorization, authHeader) }
contentType(ContentType.Application.FormUrlEncoded)
accept(ContentType.Application.Json)
setBody(
Expand All @@ -114,11 +118,11 @@ class AuthService(
append("code", code)
append(
"redirect_uri",
"${managementPortalProperties.common.baseUrl}/api/redirect/login"
"${managementPortalProperties.common.managementPortalBaseUrl}/api/redirect/login"
)
append(
"client_id",
managementPortalProperties.frontend.clientId
clientId
)
}
.formUrlEncode(),
Expand Down
Loading
Loading