search

GCTC-NTGC / gc-digital-talent

GC Digital Talent is the new recruitment platform for digital and tech jobs in the Government of Canada. // Talents numériques du GC est la nouvelle plateforme de recrutement pour les emplois numériques et technologiques au gouvernement du Canada.
https://talent.canada.ca
GNU Affero General Public License v3.0
22 stars 9 forks source link

Get rid of custom laravel auth app #2755

Closed patcon closed 2 years ago

patcon commented 2 years ago

This has come up as a nice-to-have, so that:

To Do

Bonus: This brings us closer to https://github.com/GCTC-NTGC/gc-digital-talent/issues/2572

cc: @petertgiles

petertgiles commented 2 years ago

I'm 100% in favour of removing Laravel auth and setting up a mock auth server for running tests instead. That would be super cool if it was just a docker image and we had to host minimal code.

I'm a little worried about the scope of this issue as defined. Changing the use of x5c and the introspection endpoints may be important but shouldn't be considered here, I think. We should be selecting a mock auth server based on it's ability to mimic our real auth server flow, not changing our real auth server flow to behave like our mock. If we want to implement some best practices that would also make it easier to mock let's set it as a blocker before starting this - not mix it in.

Here's my suggested scope:

patcon commented 2 years ago

Thanks Peter!

Changing the use of x5c

Just to draw attention to it, but did you see the email comment from our SiC contact in the other issue, about x5c being just a convenience? imho we shouldn't be using it -- it doesn't offer anything (simply a convenience to not do some cryptographic operations) and just restricts our options here.

From Doug in https://github.com/GCTC-NTGC/gc-digital-talent/issues/2716

The “x5c” property contains the same public key represented by the “n” and “e” properties, just presented as an X.509 certificate for any software out there that might prefer the older format. It is completely redundant and ignored by most software I’ve worked with.

My research (with links in https://github.com/GCTC-NTGC/gc-digital-talent/issues/2716) indicate that it's rarely provided, and we are less likely to find an existing mock auth server supporting it

We should be selecting a mock auth server based on it's ability to mimic our real auth server flow, not changing our real auth server flow to behave like our mock.

Maybe let's sync up and discuss? I worry I've poorly explained myself here. More than anything else, I feel this is an example of outside software (the mock server) helping us understand a misstep. (The conditional around the introspection endpoint is a different rationale.)

tristan-orourke commented 2 years ago

If we want to implement some best practices that would also make it easier to mock let's set it as a blocker before starting this - not mix it in.

I agree, this seems like a best practice. I've set #2716 as a blocker for this issue.

patcon commented 2 years ago

introspection endpoint is landed in upstream release, so we're good to migrate to the mock server (with not loss in functionality) as soon as https://github.com/GCTC-NTGC/gc-digital-talent/issues/2716 is ready.

tristan-orourke commented 2 years ago

Please add your planning poker estimate with ZenHub @patcon