Login Page Updates for ICAM Changes

[yonatan-dp]

User Story

As an EASEY user, I want to be able to login using the new ICAM login process So that I can perform my authorized actions in the EASEY system as usual.

Development Notes

• Update “User Name” label to “CDX User ID” • Remove “Password field” • Add “EPA User?” check box (optional; default to unchecked • Update form action to call sur/determinePolicy action

Acceptance Criteria:

1) Login Functionality

• [ ] AC1.1: The login page must only require a userID for login, and no password field should be present.
• [ ] AC1.2: Upon entering a valid userID, the system should redirect the user to the OIDC provider for authentication.
• [ ] AC1.3: Invalid userIDs should result in an appropriate error message being displayed without redirection to the OIDC provider.
• [ ] AC1.4: The system should handle the OIDC callback and log the user into the application upon successful authentication.
• [ ] AC1.5: Ensure session creation and user-specific data are correctly initialized upon successful login.
• [ ] AC1.6: Ensure facilities and roles are correctly retrieved from CAMD and are used for securing application resources correctly.

2) Token Refreshing Functionality

AC2.1: The application must automatically refresh the OIDC token before it expires without user intervention. AC2.2: The refreshed token should be valid, and user sessions must continue without requiring a re-login. AC2.3: If a token refresh fails, the user should be redirected to the login page with an appropriate error message.

3) Retrieving Organization Information for Users

AC3.1: The application must correctly fetch and display use information (first and last names) from the OIDC token claims post-login. AC3.2: Changes in organization information on the OIDC provider side should reflect in the application after a new login.

4) Token Validation

AC4.1: The application must validate OIDC tokens using the provider’s public keys to ensure they are genuine. AC4.2: Expired or tampered tokens should be rejected.

6) Login Scenarios for Different User Types Across Multiple Paths

• [ ] AC6.1: Verify that both EPA and non-EPA users can successfully log in through all available paths (sign in, sign up, and migrate).
• [ ] AC6.2: User-specific redirections or flows (e.g., first-time login instructions for new users) should work as expected for both user types.
• [ ] AC6.3: Ensure that error handling and messages are appropriate for each scenario and user type.
• [ ] AC6.4: Post-login redirection to intended pages (or dashboards) must be correct depending on the user type and the authentication path used.

[ibarra-michelle]

Successfully validated AC1.3 - when I use a non-existent CDX account, I receive the appropriate error message displayed that refers to the "create an account" link and I am not redirected to the OIDC provider.

[lgiannini1]

After entering a CDX username that has been migrated, the text should instruct the user to click the button to proceed to login.gov/ EPA gateway. The current text makes it seem like the users are automatically being redirected. When entering a CDX username that has not been migrated yet, the text advises users to proceed to CDX, and the log in button text changes to "Proceed to CDX".

[ibarra-michelle]

Issue: Unable to login to ECMPS dev with my non-org account (401 error) and organization (OIDC mismatch error).

1. Steps to generate 401 error: When in the ECMPS dev environment and attempting to login with my non-org account, I click the Log In button, then click the Sign in button, and receive a 401 error:

Non-org account error and session id:

2. Steps to generate OIDC error: When in the ECMPS dev environment and attempting to login with my org account, I click the Log In button, then click the Sign in button, and receive a OIDC error:

Org account error and correlation id:

[yonatan-dp]

After entering a CDX username that has been migrated, the text should instruct the user to click the button to proceed to login.gov/ EPA gateway. The current text makes it seem like the users are automatically being redirected. When entering a CDX username that has not been migrated yet, the text advises users to proceed to CDX, and the log in button text changes to "Proceed to CDX".

We probably need to have a wholistic discussion on the exact label/text content for all the different scenarios. The text/labels were copied from CDX for the different scenarios for the different policy values of SIGNIN, MIGRATE, SIGNUP.

[yonatan-dp]

@ibarra-michelle This looks like a variation on the concurrent sign-in scenario that Mike asked Chris (ICAM team about). That error is coming back from the OIDC provider and, at least in the second scenario, the OIDC provider thinks there is an existing session and it can't log you in to that session automatically because of a mismatch in your claims. I will send an email to Chris with the details.

[lgiannini1]

Verified AC1.1, AC1.2, AC1.3, AC6.1, AC6.2, and AC6.3 on dev with non-EPA CDX accounts.

[ibarra-michelle]

After discussing internally, logins to the dev/test/beta environments will be the way test these changes to the application.