BB2-3139: Added oauth2 flow to swagger docs

[stiwarisemanticbits]

JIRA Ticket: BB2-3139

What Does This PR Do?

Here we are allowing oauth2 flow using swagger docs. This change does not use oaut2-redirect.html after authorization. This is because of CORS context has been lost and this file will not have values required (as window.opener is null). window.opener looses context if parent and child tabs are not of same domain.

• Added custom redirect flow in static/oauth2-redirect.html
• Updated openapi yaml path to static/openapi.yaml. Previous path was incorrect.

Note: In order for this to work, one has to update their application and put https://sandbox.bluebutton.cms.gov/static/oauth2-redirect.html in Callback URLS / Redirect Uris section

Note: This flow will not re-populate client id, secret and scopes in authorize popup. This will be handled as part of separate ticket.

What Should Reviewers Watch For?

If you're reviewing this PR, please check for these things in particular:

Validation

https://github.com/user-attachments/assets/bf655fa0-6043-4680-ab6a-4301ed581092

What Security Implications Does This PR Have?

Please indicate if this PR does any of the following:

• Adds any new software dependencies

• Modifies any security controls

• Adds new transmission or storage of data

• Any other changes that could possibly affect security?

• [x] Yes, one or more of the above security implications apply. This PR must not be merged without the ISSO or team security engineer's approval.

Any Migrations?

• [ ] Yes, there are migrations
  • [ ] The migrations should be run PRIOR to the code being deployed
  • [ ] The migrations should be run AFTER the code is deployed
  • [ ] There is a more complicated migration plan (downtime, etc)
• [x] No migrations

[jimmyfagan]

Shivam, please update the What Should Reviewers Watch For? and Validation sections to help reviewers know how to test this locally during review.

Another minor note, based on our branch naming conventions, the branch name should include your github id and a short indication of what the changes achieve. Something like stiwarisemanticbits/BB2-3139-oauth2-flow-swagger. No need to change that for this one, but try to keep it in mind for future branches.

[stiwarisemanticbits]

Shivam, please update the What Should Reviewers Watch For? and Validation sections to help reviewers know how to test this locally during review.

Added video

[JFU-NAVA-PBC]

it'd be good to suppress the auto populate of html form's user/password inputs - just blank them out: but work round exists - open the swagger ui in incognito mode.

[JFU-NAVA-PBC]

Noticed that in the video, the swagger UI started from a local BB2, but callback (token) went to sbx, and after got the token - it returns to the local swagger ui page...

this is a bit off the auth flow where: the swagger ui url / callback redirect are both based on the same server...

may be the PR can be deploy to TEST to provide a full end to end experience (need to tweak the servers section to add https://test.bluebutton.cms.gov/ as 2nd server, and refactor token url, auth url accordingly - may be use relative URLs in security schemes...)

I tried to tweak the openapi.yaml adding a local server and relative URLs point to local server token and auth end points such that it will work on a local bb2 instance (only external url is the medicare.gov login), but on the call back I got a blank page when the swagger scripts should do the AC for token exchange:

callback:

http://localhost:8000/static/oauth2-redirect.html? code=VJAg79b0DHPvu7myWWJ509VviL6gbe &state=TW9uIEF1ZyAxOSAyMDI0IDExOjQyOjQ0IEdNVC0wNzAwIChQYWNpZmljIERheWxpZ2h0IFRpbWUp

may be a user error, but looking to see a full auth flow: start and going though call back and end up with the same BB2 instance.

either local bb2, or a bb2 on LLE.

[JFU-NAVA-PBC]

Since this is only being used in Sandbox this is okay

yea, doing exchange in a browser engine is not secure but Ok for synthetic data...

[JFU-NAVA-PBC]

checked the swagger is disabled on prod, which is good: