[midPoint] REST authentication

Radovan Semancik radovan.semancik at evolveum.com
Thu Dec 8 14:30:41 CET 2016 

Hi Pertti,

Current midPoint REST interface implementation does not really support 
this use. The REST interface was designed primarily for 
backend-to-backend use. The interface haven't changed much since it was 
created several years ago. We have tried to secure funding to improve 
the REST interface, but for a long time it looked like this is not a 
priority for midPoint subscribers.

It is unlikely that the REST interface could be easily configured for 
this. Yet, it might be possible to modify midPoint code for your use 
case. But I think that it will not be straighforward. The Java world is 
not entirely unified when it comes to authentication and authorization. 
We are using Spring Security for most of the authentication and 
web-focus authorization. But the REST framework has completely separate 
authentication interface. And the SOAP interface has yet another 
interface. It is partially given by the fact that all the protocols have 
their specifics. But another reason is that Java world (and IT world in 
general) tends to reinvent the wheel over and over again.

The bottom line is that you can use the Spring Security modules for GUI 
authentication. But as far as I know there is no simple way how to use 
the same modules for REST authentication. Perhaps the best solution here 
would be to implement OAuth support for our REST interface. There are 
some REST interface improvements already planned for midPoint 3.6. But 
as far as I remember no midPoint subscriber or sponsor has endorsed the 
OAuth support therefore this is not even in the roadmap yet. As usual, 
you have several options:

https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature

Of course, it is possible to use a single "technical" user in the "SSO 
gateway" (definitely NOT in the front-end). However this is far from 
being ideal. MidPoint is designed to quite strictly use the identity of 
the logged-in user in all the actions. Using a single "proxy" user may 
have impact on the authorizations, workflows, features such as "deputy" 
and especially on the audit logging. It may be OK as short-term hack. 
But it is not very good as a long-term solution.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 12/08/2016 10:43 AM, Pertti Kellomäki wrote:
> Hi Petr,
>
> 8.12.2016, 10:51, Petr Gašparík - AMI Praha a.s. kirjoitti:
>
>> REST API does not work with browser, so what is the concept of "SSO" 
>> here?
>
> The setup is that there is an existing web application where the user 
> interacts with the application using a browser. The application uses 
> an external identity provider to authenticate the user, and the calls 
> to the midPoint REST api come from the backend of the application. 
> There is a 1:1 correspondance between users in the identity provider 
> and users in midPoint. "SSO" may not be the technically correct term 
> here, but anyway I would like to let the application backend use 
> midPoint REST api as the authenticated user. There is an Apache httpd 
> in front of midPoint, so it can be used for verifying tokens or 
> similar tasks.
>
> Pertti
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list