Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RBAC with Azure AD authentication provider #3077

Merged
merged 26 commits into from
Jan 29, 2024
Merged

Add RBAC with Azure AD authentication provider #3077

merged 26 commits into from
Jan 29, 2024

Conversation

apedroferreira
Copy link
Member

@apedroferreira apedroferreira commented Jan 12, 2024
edited
Loading

  • Add RBAC based on provider roles.
  • Add Azure Active Directory (AD) as authentication provider, the first one with roles enabled.
  • Add role mapping from provider role names to Toolpad role names, set via UI in application.yml.
  • Disallow users from accessing pages if they don't have the correct roles (client-side only, as our routing for these pages is client-side? Should we also try to block by HTTP somehow or is it not worth it?). In a separate PR I am disallowing queries from being called if user does not have the necessary roles, if possible, just need to finish it up if needed, it's outdated right now (Protect runtime RPC with authorization #3034)
  • Hide inaccessible pages in sidebar + show message that page is inaccessible if user somehow still navigates to them.

Will add to documentation in the authentication/authorization documentation PR: #3067
Also to cover in authentication/authorization tests in: #3056

Video

Screen.Recording.2024-01-16.at.18.30.53.mov

It's possible to assign multiple provider roles to a Toolpad role by separating the roles with commas such as admin, reader,writer.

@apedroferreira apedroferreira added the new feature New feature or request label Jan 12, 2024
@apedroferreira apedroferreira self-assigned this Jan 12, 2024
@github-actions github-actions bot added the PR: out-of-date The pull request has merge conflicts and can't be merged label Jan 12, 2024
@apedroferreira apedroferreira mentioned this pull request Jan 16, 2024
Closed
@github-actions github-actions bot removed the PR: out-of-date The pull request has merge conflicts and can't be merged label Jan 16, 2024
apedroferreira
apedroferreira commented Jan 16, 2024
View reviewed changes
package.json Outdated
@@ -98,7 +98,7 @@
"engines": {
"npm": "please-use-yarn",
"node": ">=18",
"pnpm": "8.7.0"
"pnpm": ">=8.7.0"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this fine or should I use this specific version of pnpm? I had a more recent one installed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was hoping we could pin the pnpm version, just like we used to do with yarn

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I should use 8.7.0? Why are we not using a more recent version?
Anyway I can switch, no problem, I guess it's safer against weird issues if we all use the same version.

Copy link
Member

@Janpot Janpot Jan 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we not using a more recent version?

Because I haven't yet fully figured out yet how to enforce this in circleci, netlify, ánd codesandbox ci simultaneously.

@apedroferreira apedroferreira changed the title Add Azure AD authentication provider Add RBAC with Azure AD authentication provider Jan 16, 2024
@apedroferreira apedroferreira marked this pull request as ready for review January 16, 2024 17:21
@apedroferreira apedroferreira requested a review from a team January 16, 2024 17:21
@apedroferreira
Copy link
Member Author

apedroferreira commented Jan 16, 2024
edited
Loading

I saw something else wrong in the video - the admin-only page is showing when it shouldn't, feel free to wait before reviewing until I add some fix. Fixed, video updated.

apedroferreira
apedroferreira commented Jan 16, 2024
View reviewed changes
packages/toolpad-app/src/server/auth.ts

const SKIP_VERIFICATION_PROVIDERS: AuthProvider[] = [
// Azure AD should be fine to skip as the user has to belong to the organization to sign in
'azure-ad',
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also they don't return any data that allows us to determine if emails are verified, from what I searched.

@github-actions github-actions bot added the PR: out-of-date The pull request has merge conflicts and can't be merged label Jan 18, 2024
This was referenced Jan 18, 2024
Merged
Closed
Janpot
Janpot reviewed Jan 22, 2024
View reviewed changes
docs/schemas/v1/definitions.json Outdated
@@ -82,6 +83,26 @@
]
},
"description": "Available roles for this application. These can be assigned to users."
},
"roleMappings": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intuitively this feels like a provider specific property. e.g. how would this work under Google/GitHub?
I'd sort of have expected something like:

providers:
  - provider: 'azure-ad'
    roles:
      - source: 
          - my-azure-role
          - my-other-azure-role
        target: my-toolpad-role

Also, UI doesn't really have proirity right now. I'm fine to release this with config only

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, I'll make that change, seems better. The UI is already done so should be easy to keep now.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've changed the schema here: 2075577

The schema definition is much better like this too.

@apedroferreira apedroferreira mentioned this pull request Jan 23, 2024
Closed
1 task
@github-actions github-actions bot removed the PR: out-of-date The pull request has merge conflicts and can't be merged label Jan 25, 2024
@github-actions github-actions bot added the PR: out-of-date The pull request has merge conflicts and can't be merged label Jan 25, 2024
Janpot
Janpot approved these changes Jan 29, 2024
View reviewed changes
Copy link
Member

@Janpot Janpot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Looking good

@github-actions github-actions bot removed the PR: out-of-date The pull request has merge conflicts and can't be merged label Jan 29, 2024
@apedroferreira apedroferreira merged commit 6435f8f into mui:master Jan 29, 2024
11 checks passed
@apedroferreira apedroferreira deleted the auth-azure-ad-provider branch January 29, 2024 16:13
@prakhargupta1 prakhargupta1 mentioned this pull request Feb 20, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Janpot Janpot Janpot approved these changes

Assignees

@apedroferreira apedroferreira

Labels
new feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@apedroferreira @Janpot