Authentication and Authorization
The default way to Authenticate a user with in the Dossier Organizer application, is by using an OAuth 2 provider. OAuth is an open standard and there are Numerous public providers like Microsoft, Apple, Google, Amazon and many more. Alternatively you can also use closed and self Hosted solutions like KeyCloak.
Note: It is recommended to set a shorter lifetime for the OAuth tokens. Shorter token lifetimes reduce the risk of token misuse in case they are compromised. This ensures that even if a token is intercepted, it will only be valid for a limited period, minimizing potential damage.
Code Flow + PKCE
Dossier Organizer uses the Authorization Code Flow with PKCE (Proof Key for Code Exchange) as the OAuth 2.0 flow by default. This modern approach has replaced the deprecated Implicit Flow.
Setup
The First step will be to connect Dossier Organizer to the Oauth provider. For this process we need a few pieces of information form the third party system:
- A
Client Idand/orclient Id URI. To get This ID you need register a new client on your OAuth provider. Depending on your provider system this ID can be freely chosen, or it will be generated during the setup process. The setup varies depending on OAuth provider but will always entail an ID associated with the newly created client. TheClient Id URIis only used when using Azure as an authentication provider. - An OAuth
Issueris a named external system that provides identity and API access by issuing OAuth access tokens. The issuer should be referred to using a URL. - A
scopeis a set of named "permission grants" which the user has to be able to access. These scopes are often managed by the organization and are used to Authenticate user groups on specific clients. - A 'redirectUrl' is the URL to which the OAuth provider will redirect the user after successful authentication. Note that the redirect URL must be registered with the OAuth provider and must match it exactly to prevent attacks
After the Setup Process on the provider side this details have to be included in the deployment of Dossier Organizer using the Helm values. For an exact description on how to use the Helm Configuration please Refer to our Kubernetes deployment.
Access Control
As a basis Dossier Organizer will require a valid authentication to provide any service to a requesting user. Unauthenticated users have no access using the UI or any API endpoint. If using the provided UI the User will be prompted to log in, if the Authentication is not already present.
For a finer rights management, the fusion framework allows configuring so-called Authorization Policy files. These Authorization Policies allow restrictions based on:
- user roles
- permissions on resources
- permissions on actions
Authorization Policy Configuration
Authorization is implemented by defining AccessRules configuration file which restricts or allows access to specific functionality and resources of the product integration. These rules can be provided by adding them as additional files to the deployment. For further Information refer to the customization section.
As a default a simple Access Policy is provided that allows any authenticated user to access everything, if no other access policy is provided. This default policy is very basic and its definition can be used as an example:
{
"_version": "1970-01-01",
"validFrom": "1970-01-01T00:00:00.000+0000",
"description": "Allow everything",
"rules": [
{
"name": "Allow everything with claim resource_access.neverpile-fusion.roles contains 'reader'",
"effect": "ALLOW",
"resources": [ "*" ],
"actions": [ "*" ],
"subjects": [ "claim:resource_access['neverpile-fusion'].roles.contains('reader')" ]
}
],
"default_effect": "DENY"
}
If you want to implement a specific ruleset for your integration, feel free to contact our team at levigo, and we will help to create a matching configuration.
For more information about how to use Access policies please refer to the Access Policies Section