search

CDCgov / prime-reportstream

ReportStream is a public intermediary tool for delivery of data between different parts of the healthcare ecosystem.
https://reportstream.cdc.gov
Creative Commons Zero v1.0 Universal
65 stars 39 forks source link

Auth Microservice SRD Review #14765

Open arnejduranovic opened 2 weeks ago

arnejduranovic commented 2 weeks ago

User Story

As a stakeholder of ReportStream, I want a SECURE, RELIABLE, and SCALABLE way to handle incoming authentication and authorization requests, so that we can minimize potential of ReportStream AUTH bringing the system down or introducing security defects.

Description/Use Case

Presently, ReportStream has what is essentially a custom authorization server coupled with the backend application. The program should move to a more streamlined and microservice-appropriate auth solution. The new AUTH service design is detailed in UP Software Requirements Document but needs to be evaluated if it is the best approach. We need to weigh this design as is against other possible solutions and determine a path forward.

A common pattern in microservices is to have a proxy server that does AUTH and ROUTING to microservices. This pattern should be evaluated as well as potential usage of CDC's Application Gateway project.

Some additional things that should be evaluated:

One idea to investigate could be evaluating using Azure Application Gateway with Azure Identity Management for machine-machine auth and we wouldn't use Okta at all. Or maybe Okta can integrate with Azure Identity management? Big question: Is there a way we can implement auth without writing our own auth service?

Risks/Impacts/Considerations

Dev Notes

Acceptance Criteria

Andrey-Glazkv commented 2 weeks ago

Hey team! Please add your planning poker estimate with Zenhub @adegolier @arnejduranovic @brick-green @david-navapbc @jack-h-wang @jalbinson @JFisk42 @mkalish @thetaurean