Hi,
In the Audit add-on the Who attribute of the EntityLog entity is always the value of the spring.security.oauth2.authorizationserver.client.myclient.registration.client-id property when using REST Datastore. How can we save the actual user who made the changes?
Thnks
Hi Francesc,
That’s correct, the operations on the service are executed on behalf of the “integration user” which represents the whole client application. This is how Client Credentials Grant works.
An alternative with Resource Owner Password Credentials Grant is shown in the Separating Application Tiers guide, but it requires authentication only in the service, the client in this case does not have its own users at all.
Regards,
Konstantin
Hi Konstantin,
Thank you for your response. I understand the explanation regarding the use of the “integration user” for operations in the service via the Client Credentials Grant flow.
As you mention in the Jmix documentation, the Resource Owner Password Credentials Grant is not considered sufficiently secure in certain scenarios and is already deprecated in the OAuth 2.1 standard. Given this, I would like to know if there is an alternative way to log the actual user performing the modification instead of the client application itself in the Audit add-on, while ensuring compliance with OAuth 2.1 recommendations.
Could you please advise on a secure and standard approach to achieve this?
Best regards,
Francesc
Hi Francesc,
A “standard” approach for authenticating real users is to use the Authorization Code Grant or an external identity provider like Keycloak.
We haven’t implemented these scenarios for REST DataStore yet.
Also note that Password Grant is perfectly secure if you trust the client application, i.e. if you develop and deploy it yourself.
Regards,
Konstantin