Security - uol-esis/TH1 GitHub Wiki

[!WARNING] We are no IT-Security experts and the setup may include oversights. Please inform us if you think something is not right about the configuration.

The api is secured using OAuth2. The development stack includes a keycloak instance with an example realm as a reference of how to setup the IDP.

DO NOT USE THE EXAMPLE KEYCLOAK CONFIGURATION IN PRODUCTION!

On this page, we will summarize the most important configurations in order to get started. However, we will not explain how to setup keycloak in the first place and get it hardened for production.

[!NOTE] In this tutorial keycloak 26 is used. In other versions, settings may be called differently or set at a different time and/or place.

  1. Inside the selected realm, create a new OpenID Connect (OIDC) Client
    • Choose an appropriate Client ID
    • Leave capability config with its default values
    • Insert URL and URIs according to your environment
    • Hit Save
  2. Open the Client Details of your newly created client and add the following roles:
    • read:converter
    • read:feedback
    • read:tablestructure
    • write:converter
    • write:feedback
    • write:tablestructure
  3. For easier role management you may now also create new composite roles and add selected previously defined roles to the new role
    • The example uses the following two roles with appropriate scopes
      • user: has all scopes
      • visitor: has write:feedback, read:converter and read:tablestructure
  4. With this setup done, you may now create users and grant them access to the application by assigning them the appropriate roles