jimfuqian/BB2-3471-swagger-ui-auth-w-pkce-set-verifier-4-token-exchange

JIRA Ticket: BB2-3471

A follow up PR fixing the PKCE verifier code handling in customized swagger UI code.

If you're reviewing this PR, please check for these things in particular:

Refer to "Validation" of PR 1260

PR deployed to TEST ENV.

Steps:

Register app on TEST, e.g. myApp
Point browser to swagger UI at TEST: https://test.bluebutton.cms.gov/docs/openapi
Follow the instruction at swagger UI page
Click "Authorize" button to bring up the OAUTH dialogue, type in the myApp credentials (client_id/client_secret)
Check all scopes, click the "Authorize" button of the OAUTH dialogue
Follow the medicare login flow e.g. login as BBUser00000, grant data access....
Assume the authorize flow completes successfully
Pick any of the OAUTH protected end points, e.g. userinfo, and try it out, should see userinfo response.
Then click "Logout", and then repeat the auth flow step 4 - 8 multiple times - e.g. 4 times
Login into splunk and open up "BB2 Authorization Flow Dashboard", select ENV=test, filter app name selector, and pick only your app - e.g. myApp, query the auth flows in past 60 min, then should be able to see something like below PKCE stats: the screen shot shows 4 auth flow w PKCE (S256 method):

Please indicate if this PR does any of the following:

Adds any new software dependencies
Modifies any security controls
Adds new transmission or storage of data
Any other changes that could possibly affect security?
[ ] Yes, one or more of the above security implications apply. This PR must not be merged without the ISSO or team security engineer's approval.

[ ] Yes, there are migrations
- [ ] The migrations should be run PRIOR to the code being deployed
- [ ] The migrations should be run AFTER the code is deployed
- [ ] There is a more complicated migration plan (downtime, etc)
[x] No migrations

CMSgov / bluebutton-web-server