JASPER-551: Implement a mapping field in JASPER that can be used to derive the PCSS user details (PART 2)#458
Conversation
- Create OnPostAuthSuccess method to isolate processing of user info after authentication.
ronaldo-macapobre
added
enhancement
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
api/Infrastructure/Authentication/AuthenticationServiceCollectionExtension.cs
Fixed
Show fixed
Hide fixed
api/Infrastructure/Authentication/AuthenticationServiceCollectionExtension.cs
Fixed
Show fixed
Hide fixed
ronaldo-macapobre
requested review from
JTraill,
WadeBarnes and
devinleighsmith
There was a problem hiding this comment.
Some of what's contained in this code is related to what Devin is doing here; #457. So there might be some co-ordination required.
It's fine to populate the user account in JASPER with some basic information regarding a user authenticated by KeyCloak, but we still need to verify and validate (authorize) their access to JASPER before providing any access.
Short term:
- If the user is not assigned to one of the known, expected, KeyCloak groups - then access denied.
Long term:
- Existing account - access granted based on their account status (enabled/disabled), and assigned roles and permissions.
- First time login - Populate basic account info (only if they request access or have a PCSS account), then verify and validate the request
- Check with PCSS (if/when possible) - User has a valid account, configure their JASPER account accordingly and grant them equivalent access to JASPER.
- No existing PCSS account - Provide the user with the option to request access.
- Regardless of whether the user requests access - Notify an admin there was a failed login attempt.
- User requests access - Notify an admin of the request and provide link the pre-populated account info for review and approval.
There was a problem hiding this comment.
Hey Wade, Ronnie and I talked about this, and we think this is logic is consistent with the goals you've listed above. Primarily, this is because Ronnie is only creating a skeleton user during login here - the logic surrounding the judge assignment as well as roles and permissions will not execute unless there is corresponding data in PCSS/Mongo.
However, Ronnie will need to update this to set the skeleton user to disabled.
So when a user logs in for the first time, this logic will run, the skeleton user gets created (which allows an admin to track failed authorization attempts). Next the frontend will redirect the user to the access request page, where they have the option of requesting access. This will allow the user to set a flag indicating their request for admin review.
Of course, the missing part here is the PCSS role synchronization, but that will come in its own PR.
| LastName = context.Principal.FindFirstValue(ClaimTypes.Surname), | ||
| Email = context.Principal.Email(), | ||
| UserGuid = context.Principal.UserGuid(), | ||
| IsActive = true |
There was a problem hiding this comment.
as discussed, this should be false.
…nt access to this user first.
|
| try | ||
| { | ||
| var userService = context.HttpContext.RequestServices.GetRequiredService<IUserService>(); | ||
| var userDto = await userService.GetWithPermissionsAsync(context.Principal.Email()); |
There was a problem hiding this comment.
@ronaldo-macapobre Looking through this again and I'm not sure this is safe, as this will create a new user if the user's email changes. I think in most cases email is stable but may not always be - I know in the case of sso standard they recommend that the preferred_username guid is used instead.
There was a problem hiding this comment.
I see, thanks for catching that. I only used the email for duplicate checking as a quick safeguard, but we can definitely update it. I’ll switch the code to use preferred_username when I pick up a future story that involves this.
4 participants
Pull Request for JIRA Ticket: JASPER-551
Issue ticket number and link
https://jira.justice.gov.bc.ca/browse/JASPER-551
Description
UserGuid,NativeGuidandJudgeIdtoUserandUserDtoobjects.UserGuidis populated automatically withidir_user_guidfrom Keycloak whileNativeGuidandJudgeIdwill be populated manually which will help JASPER locate the PCSS User info of the currently logged on user.OnPostAuthSuccessfunction to determine the appropriatejudgeIdandhomeLocationIdto load depending on the authenticated user.Type of change-
How Has This Been Tested?
Checklist: