Trellis User Management

28 views
Skip to first unread message

Fred Hauschel

unread,
Jul 20, 2020, 3:48:53 PM7/20/20
to Trellis LDP
Hi, i didn't find how to managing users with trellis.
There is a documentation for Authentication but i didn't understand how to register users.

I also have no id how the web id is sent. In the example there is:

is this the string, that has to be base64encoded ?? and the send as JWT Bearer token?

Best regards
Fredy

Aaron Coburn

unread,
Jul 20, 2020, 5:18:25 PM7/20/20
to trell...@googlegroups.com
User management is typically decoupled from resource management in Trellis. Yes, you can use basic auth and add users to a configuration file, but outside of local testing, I would never recommend using basic auth. The better mechanism follows an OAuth2/OpenID Connect model.

So, let's say you're using KeyCloak or Auth0 or Ping or Cognito (or any other OIDC-based auth system). Users will be managed in that external system, and that remote system will provide access tokens in the form of signed JWTs. That remote identity provider will also provide a URL where the public portion of its signing key(s) is located. These JWKS resources might look something like this: https://trellisldp.auth0.com/.well-known/jwks.json

The Trellis server then needs to be configured to trust that identity provider. For this, I would highly recommend using the trellisldp/trellis-postgresql docker image, (it looks like the trellisldp/trellis docker container isn't set up for asymmetric remote key validation via configuration).

The relevant portion of the docker compose file would be something like this (it's a little different than the one you have been using because it uses a different (i.e. better) application platform):

    image: trellisldp/trellis-postgresql:latest
    environment:
      QUARKUS_DATASOURCE_USERNAME: trellis
      QUARKUS_DATASOURCE_PASSWORD: trellis
      QUARKUS_DATASOURCE_JDBC_URL: jdbc:postgresql://db/trellis
      # Add the JWKS location to the property below
      MP_JWT_VERIFY_PUBLICKEY_LOCATION: <https://identity.provider.example/jwks>

Once that is set up, your clients would interact with the identity provider to generate access tokens -- you might use either an authorization code flow (if the client is browser based) or client credentials flow (for CLI applications). Those JWT access tokens are passed to the Trellis server for authentication using the Authorization header. The WebID is formed by combining the issuer claim with the subject claim. For example, if the issuer is https://identity.example/ and the subject is acoburn, then the webid would be https://identity.example/acoburn.

That webid can be used in combination with the authorization system which is described in more depth at https://github.com/trellis-ldp/trellis/wiki/Authorization

Hope that helps,
Aaron
 

--
You received this message because you are subscribed to the Google Groups "Trellis LDP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trellis-ldp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trellis-ldp/3edad02d-03fb-4606-9147-6d16cce1c74an%40googlegroups.com.

SoftwareEngineering Hauschel

unread,
Jul 22, 2020, 12:15:45 PM7/22/20
to trell...@googlegroups.com
Thank you very much! i will try to understand everything. And sorry for the late answer! I hope to find time these days.
Great work, great support! Thanks!
Fredy

You received this message because you are subscribed to a topic in the Google Groups "Trellis LDP" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/trellis-ldp/U6fup87gld4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to trellis-ldp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trellis-ldp/CAD4uyLdnDjZJwMi7pietmou%3DYM5vq_NrFDD-PqKwQRZ9PwVyXg%40mail.gmail.com.


--
Mit freundlichen Grüßen
Fred Robert Hauschel
+49 179 6917092

Mein Strom kommt von http://www.naturstrom.de. Für eine saubere Zukunft!
Der Umstieg ist jederzeit völlig problemlos möglich: http://www.atomausstieg-selber-machen.de.

Aaron Coburn

unread,
Jul 22, 2020, 12:51:44 PM7/22/20
to trell...@googlegroups.com
OAuth2 and OpenID Connect can sometimes be complicated to wrap one's head around. It involves a lot of specific terminology and many different moving parts. One of my favorite talks on the subject was Justin Richer's Identiverse presentation from a few years ago: https://www.youtube.com/watch?v=egfyV2NV9Mw (it's over two hours in length, but it's well worth the time). Auth0 also has some excellent documentation: https://auth0.com/docs/protocols/oidc and https://auth0.com/learn/json-web-tokens/. When you start using JWT-based access tokens, you should also pay attention to the security best practices for using JWTs: https://auth0.com/docs/best-practices/token-best-practices (e.g. for browser-based apps, never store them in localStorage/sessionStorage)

Aaron




Reply all
Reply to author
Forward
0 new messages