Hello everyone
We are using a Kubernetes server with firefly clients to acces our server and DB.
I understand Firefly allows HTTPS tokens for authorization but I wanted to know how this works in practice. We are using keycloak to manage logins and after that we would like to send a token to the firefly client that authorizes the user session but right now firefly allows anyone with the url to acces the server (And therefore the data)
How do you block firefly clients?

A quick answer for now: the basic RSP approach is that the ingress for the RSP cluster passes access to the Portal through an authentication gateway, Rubin’s gafaelfawr. Therefore, you can’t even get to the Portal’s actual service endpoint without being authorized. The Portal (Firefly) itself isn’t the thing you log in to.

In some other non-RSP Firefly applications we do the same thing, when we don’t want unauthorized users to even get to the Firefly application in the first place.

There is a native “login” capability in Firefly itself, but in the (IRSA) applications where it’s used directly, rather than the above mechanisms, it’s used to enable access to additional proprietary datasets, or to the “user workspace” at IRSA, rather than being a gate to using the application at all.

Can you say a bit more about what user experience you’re looking for?

What we’ve implemented is a custom login manager that restricts access to our Firefly endpoint, similar to the scenario you’re describing. We’re using Keycloak alongside a Kubernetes deployment to manage access to Firefly clients.

The main issue we encountered was that once someone gained access to the Firefly URL (e.g., unam.mx/firefly), they could access multiple Firefly clients or simply copy and share the URL with others. We weren’t blocking acces to the firefly URL

But you’re absolutely right — it hadn’t occurred to me to block the entire endpoint instead of trying to authenticate each individual session. That approach seems both simpler and more effective. Thanks!