Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement ReportStream AUTH-Z API #14601

Open
3 tasks
arnejduranovic opened this issue Jun 3, 2024 · 7 comments · May be fixed by #16495
Open
3 tasks

Implement ReportStream AUTH-Z API #14601

arnejduranovic opened this issue Jun 3, 2024 · 7 comments · May be fixed by #16495
Assignees
@jalbinson
Labels
platform Platform Team Spillover-Underestimated Effort Work turned out to be more complex or time-consuming than initially estimated.

Comments

@arnejduranovic
Copy link
Collaborator

arnejduranovic commented Jun 3, 2024
edited
Loading

User Story

As a stakeholder of ReportStream, I want a SECURE, RELIABLE, and SCALABLE way to handle incoming authentication and authorization requests, so that we can minimize potential of ReportStream AUTH bringing the system down or introducing security defects.

Description/Use Case

Presently, ReportStream has what is essentially a custom authorization server coupled with the backend application. It is easier, cleaner, and more secure and reliable to move to using authorization servers provided by Okta. Okta provides facilities for managing client OAuth2.0 public/private keys as well as scopes, claims, and permissions. Okta Authorization servers are able verify that a client actually has permissions to certain requested scopes, so all that logic can move out of ReportStream and the Auth service. Once the authz server verifies the bearer token with an Okta API call, RS can trust the scopes/claims in the token.

MIGRATION PLAN: Services/Azure Functions can be updated to use the new auth service as needed. Once all are updated, the old Auth code can be deleted.

Risks/Impacts/Considerations

  • Auth service and/or Okta going down will make ReportStream inaccessible

Dev Notes

The implementation details of this service have (mostly) been thought through. Please see the AUTH section in the UP Software Requirements Document.

  • The main pieces to work on are as follows
    • Remotely validate access token against Okta
    • Read Okta groups from Admin API if it is an application user (AKA a sender)
    • Create signed JWT with those groups as a custom claim
    • Pass access token and JWT in a custom header to a downstream service
    • Verify access token locally in downstream service and ensure "sender" scope present
    • Read okta groups JWT, verify its signature, and verify that the groups contained allow the sender to submit reports

Acceptance Criteria

  • Auth Service (Azure Function in the main RS Kotlin App) implemented per the SRD. Any changes to SRD reviewed and Approved by @arnejduranovic
  • Authorization implemented for Submission Microservice
  • Unit tests
@arnejduranovic arnejduranovic added platform Platform Team ready-for-refinement Ticket is a point where we can productively discuss it labels Jun 3, 2024
@Andrey-Glazkv
Copy link
Collaborator

Hey team! Please add your planning poker estimate with Zenhub @adegolier @arnejduranovic @brick-green @david-navapbc @jack-h-wang @jalbinson @JFisk42 @mkalish @thetaurean

@Andrey-Glazkv
Copy link
Collaborator

Hey team! Please add your planning poker estimate with Zenhub @adegolier @brick-green @david-navapbc

@Andrey-Glazkv
Copy link
Collaborator

Hey team! Please add your planning poker estimate with Zenhub @adegolier @brick-green

@arnejduranovic arnejduranovic added pre-grooming Needs refinement before it is ready to be groomed by the team and removed ready-for-refinement Ticket is a point where we can productively discuss it labels Jul 22, 2024
@arnejduranovic
Copy link
Collaborator Author

@jalbinson please update once SRD and design note are approved if needed.

@arnejduranovic arnejduranovic mentioned this issue Oct 18, 2024
Closed
@arnejduranovic arnejduranovic added ready-for-refinement Ticket is a point where we can productively discuss it and removed pre-grooming Needs refinement before it is ready to be groomed by the team labels Oct 21, 2024
@arnejduranovic arnejduranovic changed the title Implement ReportStream AUTH API Implement ReportStream AUTH-Z API Oct 21, 2024
@MichaelEsuruoso
Copy link
Collaborator

Please add your planning poker estimate with Zenhub @david-navapbc

@MichaelEsuruoso
Copy link
Collaborator

Please add your planning poker estimate with Zenhub @kant777

@MichaelEsuruoso MichaelEsuruoso removed the ready-for-refinement Ticket is a point where we can productively discuss it label Oct 21, 2024
This was referenced Oct 21, 2024
Closed
Closed
Closed
Closed
@jalbinson
Copy link
Collaborator

Spillover reason: Additional complexity discussed with @arnejduranovic as well as some more documentation required than initially planned. As an 8 pointer though this was not surprising.

@jalbinson jalbinson added the Spillover-Underestimated Effort Work turned out to be more complex or time-consuming than initially estimated. label Nov 6, 2024
@jalbinson jalbinson linked a pull request Nov 7, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jalbinson jalbinson

Labels
platform Platform Team Spillover-Underestimated Effort Work turned out to be more complex or time-consuming than initially estimated.
Projects
PRIME ReportStream Platform
Status: New items
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

14601 authorization api CDCgov/prime-reportstream
4 participants
@jalbinson @arnejduranovic @Andrey-Glazkv @MichaelEsuruoso