Authentication
This gives information about the authentication and authorization functionality in Flair BI application.
The Flair BI application uses spring security to manage authentication and authorization. It uses session-based authentication (for more information session click here). Currently, we are supporting three types of authentications mechanisms.
- Application
- LDAP
- OAuth (Okta)
The application layer will always handle the authorization. Flair-Bi is a single page application, and the entire application is built on the REST principles. All the requests to the application are secured except few like login page, reset password which requires anonymous access.
When a user provides the credentials, those credentials are validated with the authentication filter chain. Application authentication is the first filter in the chain that tries to validate the user credentials. If user credentials are valid upon checking with the database, the user will be authenticated and redirected to the home page. If the user credentials are not valid, then spring security tries to validate this user with the next authentication mechanism in the filter chain.
This works with the default installation.
If the application layer authentication fails, then user credentials are validated with the configured LDAP server. If the user credentials are valid, then the user will be replicated to the application database with a random hashed password.
We are replicating the user to the application database to manage user authorization for dashboards and views.
This can be configured in application-<profile>.yml
file under jhipster and ldapsettings
ldapsettings:
url:
base:
userDn:
password:
Above settings, information can be taken from LDAP server
User can authenticate using Okta, which acts as an identity provider. Once the user is authenticated using Okta user information is replicated to the application database to handle authorizations.
This can be configured in application-<profile>.yml
file under security and oauth2
security:
oauth2:
client:
# From OIDC app
clientId:
clientSecret:
# From Authorization Server's metadata
accessTokenUri:
userAuthorizationUri:
clientAuthenticationScheme: form
scope: openid profile email
resource:
# from your Auth Server's metadata, check .well-known/openid-configuration
# if not in .well-known/oauth-authorization-server
userInfoUri:
preferTokenInfo:
Above settings information can be taken from okta idp.
Tip: If you are using docker then pass this configurations as variables from you docker compose file.
Did you find what you are looking for? If not, please feel free to raise an issue. Any pull requests are welcome! 🙇