Implement ReportStream AUTH-Z API

arnejduranovic commented 5 months ago

User Story

As a stakeholder of ReportStream, I want a SECURE, RELIABLE, and SCALABLE way to handle incoming authentication and authorization requests, so that we can minimize potential of ReportStream AUTH bringing the system down or introducing security defects.

Description/Use Case

Presently, ReportStream has what is essentially a custom authorization server coupled with the backend application. It is easier, cleaner, and more secure and reliable to move to using authorization servers provided by Okta. Okta provides facilities for managing client OAuth2.0 public/private keys as well as scopes, claims, and permissions. Okta Authorization servers are able verify that a client actually has permissions to certain requested scopes, so all that logic can move out of ReportStream and the Auth service. Once the authz server verifies the bearer token with an Okta API call, RS can trust the scopes/claims in the token.

MIGRATION PLAN: Services/Azure Functions can be updated to use the new auth service as needed. Once all are updated, the old Auth code can be deleted.

Risks/Impacts/Considerations

Auth service and/or Okta going down will make ReportStream inaccessible

Dev Notes

The implementation details of this service have (mostly) been thought through. Please see the AUTH section in the UP Software Requirements Document.

The main pieces to work on are as follows
- Remotely validate access token against Okta
- Read Okta groups from Admin API if it is an application user (AKA a sender)
- Create signed JWT with those groups as a custom claim
- Pass access token and JWT in a custom header to a downstream service
- Verify access token locally in downstream service and ensure "sender" scope present
- Read okta groups JWT, verify its signature, and verify that the groups contained allow the sender to submit reports

Acceptance Criteria

[ ] Auth Service (Azure Function in the main RS Kotlin App) implemented per the SRD. Any changes to SRD reviewed and Approved by @arnejduranovic
[ ] Authorization implemented for Submission Microservice
[ ] Unit tests

Andrey-Glazkv commented 5 months ago

Hey team! Please add your planning poker estimate with Zenhub @adegolier @arnejduranovic @brick-green @david-navapbc @jack-h-wang @jalbinson @JFisk42 @mkalish @thetaurean

Andrey-Glazkv commented 4 months ago

Hey team! Please add your planning poker estimate with Zenhub @adegolier @brick-green @david-navapbc

Andrey-Glazkv commented 4 months ago

Hey team! Please add your planning poker estimate with Zenhub @adegolier @brick-green

arnejduranovic commented 4 months ago

@jalbinson please update once SRD and design note are approved if needed.

MichaelEsuruoso commented 1 month ago

Please add your planning poker estimate with Zenhub @david-navapbc

MichaelEsuruoso commented 1 month ago

Please add your planning poker estimate with Zenhub @kant777

jalbinson commented 2 weeks ago

Spillover reason: Additional complexity discussed with @arnejduranovic as well as some more documentation required than initially planned. As an 8 pointer though this was not surprising.

MichaelEsuruoso commented 1 day ago

@arnejduranovic is OOO @JFisk42 will review change requested and i will close out ticket is changes checks out. (per my request)

CDCgov / prime-reportstream