Skip to content

Add OIDC provider

Concept

Flowify uses a token based authentication system based on the AuthClient- and User-interfaces in "github.com/equinor/flowify-workflows/auth" and "github.com/equinor/flowify-workflows/user". This is a plugin architecture where each project can implement its own way of authenticating and authorizing users and requests.

The authenticatation layer is placed as a middleware that processes incoming requests. An auth implementation typically grants access and authorizes users based on 'Authentication' and 'Authorization' headers, but this is not mandated.

Details

The User interface

// tightly modelled on JWT: http://jwt.io
type User interface {
    // a unique id connected with each user, eg Azure's oid token claim
    GetUid() string
    // the full name of a user, not used for identification only searching and ordering
    GetName() string
    // the user's email address
    GetEmail() string
    // the roles that a user has been granted, to be used in access control
    GetRoles() []Role
}

The AuthClient interface

type AuthClient interface {
    // The authentication layer is performed as a middleware before any resources
    // can be accessed
    //  * If the authentication returns a non-nil error the middleware
    //    stops the processing and returns an error resonse
    //  * If the error is nil the user object is required to be valid
    Authenticate(r *http.Request) (user.User, error)
}

Implementing the AuthClient interface

The auth package contains a mock implementation that reads a static user on server startup, and always passes authentication with the credentials of the given user.

// the mock authenticator can be used for testing
type MockAuthenticator struct {
    User user.MockUser
}

func (m MockAuthenticator) Authenticate(r *http.Request) (user.User, error) {
    return m.User, nil
}

Retrieving user information for a granted request

When a request is granted access further processing is done with an augmented Contex containing the given user implementaion. This User interface object can be queried for Roles used to authorize access to resources that require access control (RBAC).

The user package contains the following utility to simplify access

// retrieve a User object from the context if available, otherwise return nil 
func GetUser(ctx context.Context) User 

All Handlers in the api are required to have this context.