Authentication
An identity provider is a system that vouches for the identity of a user. The identity provider role is to authenticate a user and provide an authentication token to the service provider. Currently, phyloDB supports two identity providers, namely from Google and from Keycloak. The authentication in phyloDB follows the Bearer Token schema, which is detailed in RFC 6750. The Bearer Token authentication schema specifies that, the requests must include the authorization header following by a space and then by the access token.
Once a user is authenticated with a provider, it can now use the access token returned by the provider to authenticate in phyloDB. Furthermore, in the query string, the parameter "provider" must be included in the request to identify the identity provider, for example https://...?provider=google. Once the access token is received by the phyloDB application, it will introspect the token and validate it. A diagram of this process is shown below.
There are three main components, namely the client application (user), the application server (phyloDB), and the authorization server (ex: Google or Keycloak). It is assumed that the client application has already obtained the access token, thus step 1 starts by sending a request to the application server to perform a given operation. Once the application server receives it, the step 2 begins by sending a request to the authorization server to validate the token. Afterwards, in step 3 the authorization server validates the token, and sends a response to the application server. Finally, in step 4, the application proceeds with the operation, and sends a response to the client.
Currently, Phyloviz Web Platform is a client application that is deployed and is using this solution, namely with Keycloak as authorization server.
The OAuth 2.0 APIs from Google, which conform to the OpenID Connect specification, is used to authenticate the users. Hence, the authorization server of the framework will rely on Google Identity Provider, which shall authenticate the client applications by any of the existing flows. Once the authentication process is completed, an identity token should be granted to the client application. It must then be sent within the request to the application server, so it can authenticate the request.
Using Google to perform authentication, the user performing the request must previously authenticate with Google, and concede at least the 'https://www.googleapis.com/auth/userinfo.email' scope permission. This authentication is not detailed here, however a guide to achieve this can be found here.
Keycloak is an open-source software product that enables single sign-on with Identity and Access Management capabilities. It is configured to use the OpenID Connect protocol.
In this case, to request the access token, the following step should be done:
curl -d 'client_id=phylodb-client' -d "client_secret=..." -d 'username=...' --data-urlencode 'password=/...' -d 'grant_type=password' 'https://auth.phyloviz.net/realms/phyloviz-web-platform/protocol/openid-connect/token'
This return a token with this format
{ "access_token" : "...", "expires_in" : ..., "not-before-policy" : ., "refresh_expires_in" : ..., "refresh_token" : "...", "scope" : "profile email", "session_state" : "...", "token_type" : "Bearer" }
After this authentication, with this access token it is possible to do requests to phyloDB, such as
curl -v --location --request GET 'http://localhost:8080/users?provider=phyloviz' --header "Authorization: Bearer $TOKEN"
where TOKEN is the access_token
As observed in the previous request example, the access token must then be sent within the request to the application server, so it can authenticate the request. Moreover, the parameter "provider" must be included in the request to identify the identity provider.