Closed alexlovelltroy closed 6 months ago
davidallendj
commented
6 months ago This should all be covered by PRs #17, #19, and #23, except it also include the case where BSS needs to make a request to a protected SMD route when the user is interacting with BSS's public route.
synackd
commented
6 months ago The above PRs are merged, so I think we can consider this done.
BSS doesn't currently evaluate a JWT at all. We have already made these changes to SMD which should establish a pattern to follow.
BSS now supports both accepting a JWT to authorize against protected endpoints as well as becoming authorized with protected SMD endpoints via client credentials grant when a user requests a boot script.
Update calls from BSS to SMD so that any JWT presented as a bearer token to BSS will be passed along without changes to SMD
BSS only needs to present a token to SMD when the /boot/v1/bootscript (unprotected) endpoint is requested, since BSS needs to request protected SMD endpoints. Since the bootscript endpoint is unprotected, BSS needs its own token, which it gets via a client credentials grant from the OIDC/Oauth2 provider. This has been implemented and tests are passing, so this can be considered complete.
For the Supercomputer Institute, we have decided to use JWTs for authentication and authorization at the microservice level as well as ensuring that each client request presents a valid token through validation at the API Gateway.
BSS doesn't currently evaluate a JWT at all. We have already made these changes to SMD which should establish a pattern to follow.
In order to close this ticket, BSS must: