You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@fineract.apache.org by "James Dailey (Jira)" <ji...@apache.org> on 2023/04/18 16:58:00 UTC

[jira] [Commented] (FINERACT-1908) Modular Security Architecture

    [ https://issues.apache.org/jira/browse/FINERACT-1908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17713660#comment-17713660 ] 

James Dailey commented on FINERACT-1908:
----------------------------------------

Let's discuss this on the listserv.  And, let's also consider the broader market conditions and solutions. 

Let's consider Spring Authentication: 

https://www.baeldung.com/spring-security-oauth-auth-server 



> Modular Security Architecture
> -----------------------------
>
>                 Key: FINERACT-1908
>                 URL: https://issues.apache.org/jira/browse/FINERACT-1908
>             Project: Apache Fineract
>          Issue Type: Improvement
>            Reporter: Aleksandar Vidakovic
>            Assignee: Aleksandar Vidakovic
>            Priority: Major
>              Labels: FIPS
>             Fix For: 1.9.0
>
>         Attachments: FIPS-0001.pdf, image (9).png
>
>
> Background and Motivation
>  
> Our current security architecture is based on a example in Spring Security’s documentation and implemented on top of JDBC. For a long time we’ve only supported basic authentication which was later complemented with a homegrown OAuth implementation and another module for one time passwords. On the authorization side we support a straight forward RBAC (role based access control) model again implemented on top of JDBC. This approach worked for quite a while, but end users and integrators wish a more flexible solution. Effectively, we are forcing users to adapt to our current security model. In most cases they have already existing security infrastructure (e.g. ActiveDirectory/LDAP for user info storage and role assignments) and would like to integrate Fineract with it. And last, in some more advanced and more complex setups the role/permission based access concept might not be sufficient for authorization; sometimes additional information (external to Fineract) might be needed for additional evaluation. The current setup makes it at the least very hard (if not impossible) to achieve these goals.
>  
> h2. Target Personas
>  
>  * integrators
>  * end users
>  * BaaS
>  
> h2. Goals
>  
>  * separate the current security infrastructure as much as possible from Fineract’s core; i. e. make it a custom module
>  * create the OAuth Client aka Keycloak module as a drop-in replacement for the current security mechanics
>  * delegate everything authentication/authorization related to 3rd party libs/frameworks/products/services
>  * re-use 3rd party libs/frameworks/products/services user interfaces and remove corresponding views (e. g. user management) from Fineract web app
>  * as minimal refactoring as possible in the short/mid term
>  * keep backwards compatibility for a couple of major releases
>  * provide good documentation and/or automated tools for migration
>  
> h2. Non-Goals
>  
>  * Fineract as a standalone identity server
>  
> h2. Proposed API Changes
>  
> h3. AppUser
>  
> Unfortunately this class is both JPA entity class and implements Spring Security’s "User" interface. The current dependencies and usage in code is not ideal (at least when it’s business logic), but the main challenge is that the database table behind this JPA entity is related pretty much all over the place via joins.
>  
> h3. PlatformUserDetailsService
>  
> Ideally this service should not be used directly anymore in Fineract’s core.
>  
> h3. OAuth Client Auto Configuration
>  
> After years of having multiple competing OAuth packages Spring consolidated their efforts in two libraries:
>  
> {color:#000000}implementation "org.springframework.boot:spring-boot-starter-oauth2-client"{color}
> {{implementation "org.springframework.boot:spring-boot-starter-oauth2-resource-server"}}
>  
> Especially the Keycloak configuration is very easy (3 lines in application.properties).
>  
> h3. BCrypt Support Module for Keycloak
>  
> Unfortunately Keycloak doesn’t support BCrypt hashing for passwords out of the box, but BCrypt is widely used in Spring Boot applications and the default for Fineract. It’s very easy to create an extension module for Keycloak to supprot BCrypt too; that way we can migrate existing user accounts out of Fineract’s database tables without forcing everyone to reset their passwords. Not a strict technical requirement, but helps to smooth the transition.
>  
> h3. Open Policy Agent integration
>  
> To my knowledge there is no official Spring Security module/support for Open Policy Agent. Doesn’t really matter that much, because the communication with the OPA server is pretty much handled via one endpoint (again, for Java there is no official client, but the implementation is easy). Enforcing the OPA rules happens then with a Spring Security Voter. Some more thought needs to go into what information we send to OPA. At the least we would need:
>  * user name
>  * authorities/roles
>  * service name and function name that is being executed
>  * optional: parameters that are passed to the function
> It should be possible to intercept these calls with minimal coding effort via annotations and aspect oriented programming.
>  
> h2. Risks
>  
> TBD
>  
> h2. ETA
>  
> TBD
> h2. Diagrams
> !image (9).png|width=975,height=1168!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)