Audit add-on and REST Datastore

fdomenechm · December 20, 2024, 7:58am

Hi,

In the Audit add-on the Who attribute of the EntityLog entity is always the value of the spring.security.oauth2.authorizationserver.client.myclient.registration.client-id property when using REST Datastore. How can we save the actual user who made the changes?

Thnks

krivopustov · December 24, 2024, 6:24am

Hi Francesc,

That’s correct, the operations on the service are executed on behalf of the “integration user” which represents the whole client application. This is how Client Credentials Grant works.

An alternative with Resource Owner Password Credentials Grant is shown in the Separating Application Tiers guide, but it requires authentication only in the service, the client in this case does not have its own users at all.

Regards,
Konstantin

fdomenechm · January 16, 2025, 4:35pm

Hi Konstantin,

Thank you for your response. I understand the explanation regarding the use of the “integration user” for operations in the service via the Client Credentials Grant flow.

As you mention in the Jmix documentation, the Resource Owner Password Credentials Grant is not considered sufficiently secure in certain scenarios and is already deprecated in the OAuth 2.1 standard. Given this, I would like to know if there is an alternative way to log the actual user performing the modification instead of the client application itself in the Audit add-on, while ensuring compliance with OAuth 2.1 recommendations.

Could you please advise on a secure and standard approach to achieve this?

Best regards,
Francesc

krivopustov · January 20, 2025, 6:58am

Hi Francesc,

A “standard” approach for authenticating real users is to use the Authorization Code Grant or an external identity provider like Keycloak.

We haven’t implemented these scenarios for REST DataStore yet.

Also note that Password Grant is perfectly secure if you trust the client application, i.e. if you develop and deploy it yourself.

Regards,
Konstantin

krivopustov · April 17, 2025, 7:47am

We’ve published a guide that explains how to use REST DataStore and Keycloak to authenticate on the server side as the user logged in on the client side (without using the Password grant): REST DataStore with External Authentication :: Jmix Documentation.

ntha79 · April 20, 2025, 5:49pm

Thanks to the team for the great and practical example. However, with REST DataStore, it is necessary to pay attention on the Front-end when executing code under the SystemUser or AnonymousUser session to get data from Back-end.
I hope the team will complete and add this case.

krivopustov · April 22, 2025, 2:39pm

Hi Nguyen Tien Ha,

Thank you for pointing out to this problem.
Created issue: Ability to request service as system user · Issue #4376 · jmix-framework/jmix

Regards,
Konstantin