[SPIKE] Restricting Basic Auth Access to a few users


Timeboxed to 3 days.

The new Keycloak-based architecture of APS allows the Activiti-Admin to work when configured with a fallback to basic-auth. (This is good because this function doesn't work at all today when working with the previous oAuth2 implementation!)

Yet, customers might have 1000 of end users where they want to authenticate with say SAML. And, there are 5 admin users where basic auth should be allowed (to facilitate the use of the admin console). The trick is that customers don't want to allow the 1000 end users to log in with basic auth, only the 5 admin users.

The purpose of this ticket is to understand an architecture to limit Basic-Auth to a specific set of users via Keycloak (hopefully it's only configuration).

Reasons for customers to doing configure oAuth and limit user access include:

  • Limiting the attack surface for the smaller number of Admin Users - since current APS architecture requires basic auth for admin app, we want to limit this attack surface whilst enabling the Admin App functionality.

  • Simplified Deployment and Customer Tool Integration - a lot of customer deployment scripts can work with Basic Auth, fewer can use other protocols.

  • Use of the share connector's impersonation feature - As identified in ACTIVITI-1715, the share connector feature of APS can use a single REST call. This call is believed to be BasicAuth only. Customers would also want to know that they can limit the attack surface by limiting to just the credentials passed in via the impersonation feature.

Research is performed into how to prevent a user from using a specific protocol or more specifically Basic Auth through Keycloak configuration. Provide documentation on finding so Alfresco Professional Services team have knowledge that they can then write-up and use with customers. A natural output would be able to demo this.

If configuration is not possible (again this is not the desired state—but we could end up here), identify what kind of code (in Keycloak OR APS) would be needed and what APIs would it at a high level so a formal estimate can be issued. This output does not have have a demo.



All Replies
October 31, 2020, 1:18 AM

[This issue has been reassigned to allreplies@alfresco.com as part of the Alfresco cloud migration project. The reporter of this issue was djohnson]

Your pinned fields
Click on the next to a field label to start pinning.


Flavian Gheorghiu


All Replies