As a stakeholder of ReportStream,
I want a SECURE, RELIABLE, and SCALABLE way to handle incoming authentication and authorization requests,
so that we can minimize potential of ReportStream AUTH bringing the system down or introducing security defects.
Description/Use Case
Presently, ReportStream has what is essentially a custom authorization server coupled with the backend application. The program should move to a more streamlined and microservice-appropriate auth solution. The new AUTH service design is detailed in UP Software Requirements Document but needs to be evaluated if it is the best approach. We need to weigh this design as is against other possible solutions and determine a path forward.
A common pattern in microservices is to have a proxy server that does AUTH and ROUTING to microservices. This pattern should be evaluated as well as potential usage of CDC's Application Gateway project.
One idea to investigate could be evaluating using Azure Application Gateway with Azure Identity Management for machine-machine auth and we wouldn't use Okta at all. Or maybe Okta can integrate with Azure Identity management? Big question: Is there a way we can implement auth without writing our own auth service?
Risks/Impacts/Considerations
Dev Notes
Acceptance Criteria
[ ] Auth Service SRD reviewed and alternate approaches investigated/considered and long-term solution agreed upon
User Story
As a stakeholder of ReportStream, I want a SECURE, RELIABLE, and SCALABLE way to handle incoming authentication and authorization requests, so that we can minimize potential of ReportStream AUTH bringing the system down or introducing security defects.
Description/Use Case
Presently, ReportStream has what is essentially a custom authorization server coupled with the backend application. The program should move to a more streamlined and microservice-appropriate auth solution. The new AUTH service design is detailed in UP Software Requirements Document but needs to be evaluated if it is the best approach. We need to weigh this design as is against other possible solutions and determine a path forward.
A common pattern in microservices is to have a proxy server that does AUTH and ROUTING to microservices. This pattern should be evaluated as well as potential usage of CDC's Application Gateway project.
Some additional things that should be evaluated:
One idea to investigate could be evaluating using Azure Application Gateway with Azure Identity Management for machine-machine auth and we wouldn't use Okta at all. Or maybe Okta can integrate with Azure Identity management? Big question: Is there a way we can implement auth without writing our own auth service?
Risks/Impacts/Considerations
Dev Notes
Acceptance Criteria