Open alexlovelltroy opened 6 months ago
This is completed for SMD with this commit. Do we want to implement this for any other microservice before SI?
Reassigning this to @davidallendj
We've been having a lot of discussions about hydra/authelia/keycloak and which oauth flows to support. At this point, we are leaning towards using hydra, possibly with kratos and supporting the Authentication Code Flow with PKCE as described in https://datatracker.ietf.org/doc/html/rfc7636.
We probably need a design document or blog post that describes how this works. It's not clear to me that our exploration has gotten us to a point where we're confident in our direction so we can delay that work for a bit.
In order to be useful for the teams as part of the Supercomputing Institute, ochami must support both authentication and authorization sufficient to keep each team in their own sandbox. RFD #11 covers how authorization must be handled with JWTs. In order to enforce authorization, we also need a system and method for authenticating users and creating narrowly scoped tokens.