Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable an authentication method in the Angular front end without disabling it in the REST back end #3336

Open
bram-atmire opened this issue Sep 20, 2024 · 2 comments
Labels
authentication: general general authentication issues help wanted Needs a volunteer to claim to move forward new feature

Comments

@bram-atmire
Copy link
Member

Is your feature request related to a problem? Please describe.

Let's say you are an institution with strict security policies that only allow SSO login through the web front end.
However, at the same time, you have important back end integrations that rely on password auth (local DSpace accounts)

In this situation it would be desirable to turn off the user interface components for password login, while still keeping the authentication method active on the back end.

Right now, the enabled authentication methods are only configured on REST, and there are no separate configuration options to turn off a specific authentication method in the front end.

Describe the solution you'd like

It should be possible to turn off a specific authentication method in the Angular front end, even when it's enabled in the back end.

@bram-atmire bram-atmire added new feature needs triage New issue needs triage and/or scheduling labels Sep 20, 2024
@github-project-automation github-project-automation bot moved this to 🆕 Triage in DSpace Backlog Sep 20, 2024
@tdonohue tdonohue added authentication: general general authentication issues help wanted Needs a volunteer to claim to move forward and removed needs triage New issue needs triage and/or scheduling labels Sep 20, 2024
@tdonohue tdonohue moved this to 📋 To Do in DSpace 9.0 Release Sep 20, 2024
@abollini
Copy link
Member

Hi @bram-atmire I understand the business need but the proposed approach seems to me more a workaround with security implication than the real solution.
Usually, application that offers REST API for integration provide one or both of the following solutions:

  • an OAuth2 compliant REST API so that also machine can get the permission from a user to interact with the application on its behalf
  • support for Long Lived Token / Machine Token

Support for Machine Token has been implemented in DSpace-CRIS it would be in my opinion the solution to this specific business need

@bram-atmire
Copy link
Member Author

I agree 100% that in an ideal world, integrators should use the most secure and most modern authentication methods.

But (backwards) compatibility is the reality: the two most important platforms that we need to integrate with: Pure (Elsevier) and Elements (Symplectic) only support password authentication right now for the API, so as long as they don't have a different method available, we need to at least do a best effort to continue to support this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
authentication: general general authentication issues help wanted Needs a volunteer to claim to move forward new feature
Projects
Status: 📋 To Do
Development

No branches or pull requests

3 participants