This document specifies permissions, roles, keycloak configuration, etc.
Planned provider for authentication is Keycloak server. Security policy derives from its functionalities.
Realm defines following roles:
Composite role, provides admin role in all clients.
Composite role, provides user role in all clients.
Users are able to self-register, using Keycloak form, or they can login through configured identity provider.
Keycloak supports local strategy, but also provides list of identity providers.
- GitHub (already supported)
- Google (planned)
- Facebook (planned)
Use of custom attributes is planned and will be managed with service account. Proper mappers will be configured, so that those attributes are always present in token claim.
Attribute for programe moderators, professors and assitants. Provides array of programe id's for which user has permission to moderate. Attribute is meant to supplement specific role.
| Key | Value |
|---|---|
| Client ID | backend-service |
| Type | Confidential |
| Platform | REST API |
Client provides a number of roles:
- user
- verified_user
- professor
- assistant
- program_mod
- global_mod
- admin
More in Backend service page.
| Key | Value |
|---|---|
| Client ID | web-client |
| Type | Public |
| Platform | Web/HTML5 |
Client provides no additional roles.
More in Web client page.