Authenticator not switching role

[chirdeeptomar]

I have configured PostgREST with Keycloak for application users and Basic auth for service accounts. I have working Keycloak and working basic auth on /rpc/login.

I have backend service written in Python using postgrest-py which is making a call to a rest endpoint using basic auth like so:

async with PostgrestClient(POSTGREST_API_URL) as client:

        r = (
            await client.auth(
                token=None,
                username=POSTGREST_USERNAME,
                password=POSTGREST_PASSWORD,
            )
            .from_("followers")
            .select("follower_id")
            .eq("user_id", user_id)
            .execute()
        ) 

Permissions for role 'publisher' on table followers.

nxgen-db=# \z followers
                                   Access privileges
 Schema |   Name    | Type  |     Access privileges      | Column privileges | Policies
--------+-----------+-------+----------------------------+-------------------+----------
 public | followers | table | postgres=arwdDxt/postgres +|                   |
        |           |       | publisher=arwdDxt/postgres |                   |
(1 row)

Roles

   Role name   |                         Attributes                         |             Member of

---------------+------------------------------------------------------------+-----------------------------------
 authenticator | No inheritance                                             | {web_anon,publisher}

PostgREST is falling back to the anon user and not considering this an authenticated call. Unable to figure out whether it's an issue with PostgREST or the Python library.

Help much appreciated!

[steve-chavez]

token=None,

Seems there's no token passed so it makes sense that postgrest defaults to anon.

Unable to figure out whether it's an issue with PostgREST or the Python library.

Most likely the lib, switching roles is well tested as of now. You can try making plain http calls to confirm(send the Authorization header with curl).

[chirdeeptomar]

Thanks Steve, So I tried your suggestion, I am still not successful.

Library expects token as None even if Basic Auth is the mode of authentication but disregards the Token and just follows the Basic Auth logic path with username and password.

BASE64 encoded the username and password in format like so:

echo -n "[email protected]:123publish" | base64

curl -i \ -H 'Accept:application/json' \ -H 'Authorization:Basic cHVibGlzaGVyQHN5c3RlbS5jb206MTIzcHVibGlzaA==' \ http://127.0.0.1:3000/followers

Output

HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Date: Fri, 20 Aug 2021 12:29:21 GMT
Server: postgrest/8.0.0
Content-Type: application/json; charset=utf-8
WWW-Authenticate: Bearer

{"hint":null,"details":null,"code":"42501","message":"permission denied for table followers"}

[wolfgangwalther]

curl -i \ -H 'Accept:application/json' \ -H 'Authorization:Basic cHVibGlzaGVyQHN5c3RlbS5jb206MTIzcHVibGlzaA==' \ http://127.0.0.1:3000/followers

This will not work with PostgREST. PostgREST does not support "Basic" Authorization. You need to use "Bearer" Authorization, i.e. send a token.