Do we need 2 authentication systems for camunda when using companies Active Directory for readonly auth?

drogba · July 22, 2021, 3:18pm

So I am planning to use my companies read only Active directory for authentication. This sounds good when someone wants to access the Webapp.

But I was thinking about securing the REST API, I cant use one of the Active directory users because they are all company employees, How to solve this problem ?

jonathan.lukas · July 22, 2021, 7:20pm

Hello @drogba ,

the REST API can use the same IdentityProvider than the Webapp, as the Authentication and Authorization is part of the engine itself.

So basically every request towards the REST API can be done by any authenticated and authorised user. The Authentication mechanism can be handled in the Filter Implementation you are using. Please find an example for this filter here:

This example is for the Spring Boot distro and used Basic HTTP Auth as mechanism.

Hope this helps

Jonathan

drogba · July 22, 2021, 11:19pm

I can understand what you are saying, if somebody wants to make a call against Camunda REST API, they can use their personal Active Directory credentials.
For example, We have an Application ABC which wants to make a REST API call against camunda. Obviously we cant use someones personal credentials to do this.

I do not know much about how company wide active directory works but can I create a system user for this purpose in the Active Directory ? That system user can be used by an application to call Camunda REST API.

By the way I have already enabled basic auth similar to what you showed.

jonathan.lukas · July 23, 2021, 5:40am

Hello @drogba ,

thank you for this update about your progress and knowledge.

Let us take this further: Does your AD support SSO, for example via OAuth2? If yes, you could use an OAuth-Filter in front of your REST API. In this way, every user can use his personal authentication AND authorization to perform API calls. Big Benefit: You can use the engines‘ native authorization mechanics. Plus: The credentials are not encoded as a header, which is good for a start but (as you wrote) a bad idea for production. The other possibility would to create a system user. If you want to do this right, create one for each application using the API. Usually, system users use API keys instead of credentials. You could then implement a filter that fits this purpose.

I hope this helps

Jonathan

system · January 30, 2024, 1:15pm