feat: modify implementation of internal and third-party integration

tutorials/09-security/a.internal-system/.env.example

@@ -1,57 +1,29 @@
 # Identity Provider Configuration
-IDP_TYPE=okta  # okta, azure, google, keycloak
-IDP_DOMAIN=your-domain.okta.com  # For Okta: your-domain.okta.com, For Azure: tenant-id
-IDP_CLIENT_ID=your_client_id
-IDP_CLIENT_SECRET=your_client_secret
-IDP_REDIRECT_URI=http://localhost:8080/callback
-IDP_SCOPES=openid profile email groups
+IDP_TYPE=your-idp-type
+IDP_DOMAIN=your-domain.com
+IDP_PROTOCOL=http
+IDP_REALM=your-realm
+IDP_CLIENT_ID=your-client-id
+IDP_CLIENT_SECRET=your-client-secret
 
 # JWT Configuration
 JWT_SECRET_KEY=your-super-secret-jwt-key-change-this-in-production
-JWT_ALGORITHM=HS256  # HS256 or RS256
-TOKEN_EXPIRY_MINUTES=60
-JWT_ISSUER=internal-rbac-proxy
-JWT_AUDIENCE=internal-mcp-server
+JWT_ALGORITHM=RS256
+JWT_AUDIENCE=your-audience
+JWT_ISSUER=your-issuer
+JWKS_URI=your-jwks-uri
 
-# Database Configuration
-DB_TYPE=sqlite  # sqlite, postgresql, mongodb
-DATABASE_URL=data/internal_system.db  # For SQLite: path, For PostgreSQL: postgresql://user:pass@host:port/db
-
-# RBAC Configuration
-ROLE_MAPPINGS_FILE=config/role_mappings.yaml
-AUDIT_ENABLED=true
-
-# Server Configuration
-RBAC_PROXY_URL=http://localhost:8080
-PROXY_HOST=0.0.0.0
-PROXY_PORT=8080
-DEBUG=false
-
-# Optional JWKS URL (for RS256 validation)
-JWKS_URL=http://localhost:8080/auth/jwks
+# RBAC Proxy Configuration
+PROXY_PORT=your-proxy-port
+RBAC_PROXY_URL=your-rbac-proxy-url
+IDP_REDIRECT_URI=your-idp-redirect-uri
 
-# Example configurations for different IdPs:
-
-# Okta Configuration:
-# IDP_TYPE=okta
-# IDP_DOMAIN=dev-12345.okta.com
-# IDP_CLIENT_ID=0oa1a2b3c4d5e6f7g8h9
-# IDP_CLIENT_SECRET=abcdef1234567890
-
-# Azure AD Configuration:
-# IDP_TYPE=azure
-# IDP_DOMAIN=12345678-1234-1234-1234-123456789012  # Tenant ID
-# IDP_CLIENT_ID=12345678-1234-1234-1234-123456789012
-# IDP_CLIENT_SECRET=abcdef1234567890
+# Database Configuration
+DB_TYPE=your-db-type
+DATABASE_URL=your-database-url
 
-# Google Workspace Configuration:
-# IDP_TYPE=google
-# IDP_DOMAIN=accounts.google.com
-# IDP_CLIENT_ID=123456789012-abcdefghijklmnop.apps.googleusercontent.com
-# IDP_CLIENT_SECRET=abcdef1234567890
+# Client Configuration
+CLIENT_REDIRECT_URI=your-client-redirect-uri
 
-# Keycloak Configuration:
-# IDP_TYPE=keycloak
-# IDP_DOMAIN=keycloak.company.com
-# IDP_CLIENT_ID=internal-system-client
-# IDP_CLIENT_SECRET=abcdef1234567890
+#MCP Server URL
+MCP_SERVER_URL=your-mcp-server-url

tutorials/09-security/a.internal-system/config/role_mappings.yaml

@@ -10,6 +10,7 @@ roles:
   # HR roles
   hr_admin:
     scopes: 
+      - "db:read:public"
       - "db:read:employee"
       - "db:write:employee"
       - "api:hr:*"
@@ -18,13 +19,15 @@ roles:
 
   hr_user:
     scopes:
+      - "db:read:public"
       - "db:read:employee"
       - "api:hr:read"
     description: "HR user access - can read employee data (no salary info)"
 
   # Finance roles
   finance_admin:
     scopes:
+      - "db:read:public"
       - "db:read:financial"
       - "db:write:financial"
       - "api:finance:*"
@@ -33,13 +36,15 @@ roles:
 
   finance_user:
     scopes:
+      - "db:read:public"
       - "db:read:financial"
       - "api:finance:read"
     description: "Finance user access - can read financial data"
 
   # IT roles
   it_admin:
     scopes:
+      - "db:read:public"
       - "db:read:system"
       - "db:write:system"
       - "api:system:*"
@@ -49,6 +54,7 @@ roles:
 
   it_user:
     scopes:
+      - "db:read:public"
       - "db:read:system"
       - "api:system:read"
     description: "IT user access - can read system logs and data"