Timeboxed to 3 days.
The new Keycloak-based architecture of APS allows the Activiti-Admin to work when configured with a fallback to basic-auth. (This is good because this function doesn't work at all today when working with the previous oAuth2 implementation!)
Yet, customers might have 1000 of end users where they want to authenticate with say SAML. And, there are 5 admin users where basic auth should be allowed (to facilitate the use of the admin console). The trick is that customers don't want to allow the 1000 end users to log in with basic auth, only the 5 admin users.
The purpose of this ticket is to understand an architecture to limit Basic-Auth to a specific set of users via Keycloak (hopefully it's only configuration).
Reasons for customers to doing configure oAuth and limit user access include:
Limiting the attack surface for the smaller number of Admin Users - since current APS architecture requires basic auth for admin app, we want to limit this attack surface whilst enabling the Admin App functionality.
Simplified Deployment and Customer Tool Integration - a lot of customer deployment scripts can work with Basic Auth, fewer can use other protocols.
Use of the share connector's impersonation feature - As identified in ACTIVITI-1715, the share connector feature of APS can use a single REST call. This call is believed to be BasicAuth only. Customers would also want to know that they can limit the attack surface by limiting to just the credentials passed in via the impersonation feature.
Research is performed into how to prevent a user from using a specific protocol or more specifically Basic Auth through Keycloak configuration. Provide documentation on finding so Alfresco Professional Services team have knowledge that they can then write-up and use with customers. A natural output would be able to demo this.
If configuration is not possible (again this is not the desired state—but we could end up here), identify what kind of code (in Keycloak OR APS) would be needed and what APIs would it at a high level so a formal estimate can be issued. This output does not have have a demo.
Keycloak 3.4.3 Doc: https://www.keycloak.org/archive/documentation-3.4.html
[This comment has been reassigned to firstname.lastname@example.org as part of the Alfresco cloud migration project. The author of this comment was djohnson] The results of this work is that this can be achieved through configuration, creating local users for only the admin users which use basic auth (the 5 users in the scenario) and the other 1000 users (in the scenario) are configured with the external IdP and it's auth method (most likely SAML, oAuth2, etc.)
[This issue has been reassigned to email@example.com as part of the Alfresco cloud migration project. The reporter of this issue was djohnson]