Skip to content

v4.1.0 #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

v4.1.0 #65

wants to merge 5 commits into from

Conversation

MBueschelberger
Copy link
Member

  • Add service account login
  • Refactor Re-authentication
  • Update documentation

yoavnash
yoavnash reviewed Oct 7, 2025
View reviewed changes
docs/dsms_sdk/dsms_config_schema.md
Comment on lines +13 to +14
| Client ID | If a service account is used to authenticate, this will proviode the Client ID in Keycloak | `Optional[SecretStr]`| `None` | `client_id` | Optional | `DSMS_CLIENT_ID`, `KEYCLOAK_DSMS_CLIENT_ID` or `KEYCLOAK_CLIENT_ID` |
| Client Secret | If a service account is used to authenticate, this will proviode the Client Secret in Keycloak | `Optional[SecretStr]`| `None` | `client_secret` | Optional | `DSMS_CLIENT_SECRET`, `KEYCLOAK_DSMS_CLIENT_SECRET` or `KEYCLOAK_CLIENT_SECRET` |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why did you add these variables? To avoid using the DSMS admin user? Does it mean we need to share this client secret to all users?

Copy link
Member Author

@MBueschelberger MBueschelberger Oct 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The DSMS Admin user is a hack which we identified to remove. It can also cause problems with the 2FA during internal processes in the backend. One instead can simply authenticate through the client secret with the serivce account, which is automatically enabled in Keycloak for each client.

I do not understand where you got the impression from that we are sharing the client secret with all users. The user has the ability to authenticate with ONE of the following options:

  • username/password
  • JWT
  • client id/client secret

The latter one does not get exposed when using the first two one. The only place where we are using the third option is in the backend, where the client secret should also stay and not be exposed from.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand:

  • Where in the code we replaced the admin user with the confidential client
  • Why do we need to add a new authentication method with client id/client secret

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We agreed on this three weeks ago!

See your message

Copy link
Member Author

@MBueschelberger MBueschelberger Oct 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We did not replace anything in the backend, one authenticates with Keycloak directly.

Kirankumaraswamy and others added 2 commits October 8, 2025 10:36
@Kirankumaraswamy
support reverse attribute in relation mapping (#66)
6faf280 
* support reverse attribute in relation mapping

* update name to inverse

---------

Co-authored-by: Kiran Kumaraswamy <kiran.kumaraswamy@iwm.fraunhofer.de>
@MBueschelberger
set upper range for pydantic version
495f18d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yoavnash yoavnash yoavnash left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MBueschelberger @yoavnash @Kirankumaraswamy