search

US-EPA-CAMD / easey-ui

Project Management repo for EPA Clean Air Markets Division (CAMD) Business Suite of applications
MIT License
0 stars 0 forks source link

Update Auth Sevices for ICAM Changes #6201

Open yonatan-dp opened 2 months ago

yonatan-dp commented 2 months ago

User Story As an EASEY user, I want to be able to successfully login by using the new ICAM authentication servers So that I can perform my authorized actions in the EASEY system as usual.

Development Notes • Update Authorization Service to call new ICAM services instead of SOAP Services • Refactor as needed • Deprecate/remove SOAP service API end points • Update Guards

Based on discussions and email exchanges with the ICAM team and ERG/DPC, this is the Auth-flow that will be implemented

  1. User provides a user id and clicks on Next
  2. The client initiates a determinePolicy to determine the policy to apply to the user (sign in, migrate, or sign up). If the user id provided by the user is invalid, then an appropriate error message is provided to the user.
  3. The user is redirected to a landing page that is appropriate for the policy returned based on the user.
  4. Once the user completes the authentication flow, the Azure DB will send an http post request to the Auth API at http://[base url]//oauth2/code. The post redirect may provide error information or a successful login

Error Post Redirect

  1. Auth API will redirect to ECMPS UI with the error information
  2. ECMPS UI will display the login error

Successful Login Post Redirect

  1. Auth API will create a session and redirects to ECMPS UI appending the session ID as query parameters
  2. ECMPS UI will now call Auth API with the session ID to obtain full token and user data
  3. Auth API will respond with a fully fleshed out User object with token
  4. Normal signed-in process will continue

Acceptance Criteria:

1) Login Functionality

AC1.1: The login page must only require a userID for login, and no password field should be present. AC1.2: Upon entering a valid userID, the system should redirect the user to the OIDC provider for authentication. AC1.3: Invalid userIDs should result in an appropriate error message being displayed without redirection to the OIDC provider. AC1.4: The system should handle the OIDC callback and log the user into the application upon successful authentication. AC1.5: Ensure session creation and user-specific data are correctly initialized upon successful login. AC1.6: Ensure facilities and roles are correctly retrieved from CAMD and are used for securing application resources correctly.

2) Token Refreshing Functionality

AC2.1: The application must automatically refresh the OIDC token before it expires without user intervention. AC2.2: The refreshed token should be valid, and user sessions must continue without requiring a re-login. AC2.3: If a token refresh fails, the user should be redirected to the login page with an appropriate error message.

3) Retrieving Organization Information for Users

AC3.1: The application must correctly fetch and display use information (first and last names) from the OIDC token claims post-login. AC3.2: Changes in organization information on the OIDC provider side should reflect in the application after a new login.

4) Token Validation

AC4.1: The application must validate OIDC tokens using the provider’s public keys to ensure they are genuine. AC4.2: Expired or tampered tokens should be rejected.

6) Login Scenarios for Different User Types Across Multiple Paths

AC6.1: Verify that both EPA and non-EPA users can successfully log in through all available paths (sign in, sign up, and migrate). AC6.2: User-specific redirections or flows (e.g., first-time login instructions for new users) should work as expected for both user types. AC6.3: Ensure that error handling and messages are appropriate for each scenario and user type. AC6.4: Post-login redirection to intended pages (or dashboards) must be correct depending on the user type and the authentication path used.

j-tafoya commented 1 month ago

Test case: create new account with non-EPA email in cdx dev (create login.gov account with same email):

  1. Logged into cdx dev, attempt to log into ECMPS after role approved in cdx dev by sponsor
  2. Navigate to Monitoring Plans
    • received an error:

Image

Image

  1. After logging out of cdx dev in the other tab, I was able to successfully navigate to the Monitoring Plans section, but after checking out a facility (Agua Fria Generating Station 141, config 1) I attempted to export the monitoring plan and received a CORS error as follows: Image

After this, I attempted to log into cdx dev and received this error: Image

yonatan-dp commented 1 month ago

We made a change to how tokens are validated late yesterday. Can you retest once it is deployed? Will confirm deployment with Mark. I don't think the CORS error is related to the tokens or ICAM. Let me know once you retest and will recheck.

ibarra-michelle commented 1 month ago

Issue: AC1.2 could not be validated as the org user logging in is not redirected to the EPA Gateway.

Description: I used my existed organization account, entered the user name, was prompted the redirect EPA Gateway message on the ECMPS home page, clicked the Sign In button, and was not redirected to a EPA Gateway screen. After clicking "Sign In," I was taken to the logged in view, where I could navigate to the Monitoring Plan, and "Open & Checkout" records.

yonatan-dp commented 1 month ago

We had a number of environment issues yesterday, almost all day.

Github was down and mock permissions were disabled when the app redeployed automatically after a build.

A deployment was done late yesterday after GitHub resolved the GitHub actions issue. Please retest.

ibarra-michelle commented 1 month ago

We had a number of environment issues yesterday, almost all day.

Github was down and mock permissions were disabled when the app redeployed automatically after a build.

A deployment was done late yesterday after GitHub resolved the GitHub actions issue. Please retest.

Issue: AC1.2 is still could not be validated post the Tuesday, 05/21 deployments, specifically the org user logging in is not redirected to the EPA Gateway.

Hello @yonatan-dp , thanks for the update. I retested AC1.2 and am still not getting the expected result. I cleared my cache for the last 4-weeks, opened ECMPS dev, typed in my my org account username, and was not redirected to the EPA Gateway, and taken directly to the logged in view of ECMPS dev, where I can "Open & Checkout" Monitoring Plan records

yonatan-dp commented 1 month ago

We had a number of environment issues yesterday, almost all day. Github was down and mock permissions were disabled when the app redeployed automatically after a build. A deployment was done late yesterday after GitHub resolved the GitHub actions issue. Please retest.

Issue: AC1.2 is still could not be validated post the Tuesday, 05/21 deployments, specifically the org user logging in is not redirected to the EPA Gateway.

Hello @yonatan-dp , thanks for the update. I retested AC1.2 and am still not getting the expected result. I cleared my cache for the last 4-weeks, opened ECMPS dev, typed in my my org account username, and was not redirected to the EPA Gateway, and taken directly to the logged in view of ECMPS dev, where I can "Open & Checkout" Monitoring Plan records

Hi @ibarra-michelle, to eliminate possibility of local browser context, can you try this in incognito mode?

ibarra-michelle commented 1 month ago

We had a number of environment issues yesterday, almost all day. Github was down and mock permissions were disabled when the app redeployed automatically after a build. A deployment was done late yesterday after GitHub resolved the GitHub actions issue. Please retest.

Issue: AC1.2 is still could not be validated post the Tuesday, 05/21 deployments, specifically the org user logging in is not redirected to the EPA Gateway. Hello @yonatan-dp , thanks for the update. I retested AC1.2 and am still not getting the expected result. I cleared my cache for the last 4-weeks, opened ECMPS dev, typed in my my org account username, and was not redirected to the EPA Gateway, and taken directly to the logged in view of ECMPS dev, where I can "Open & Checkout" Monitoring Plan records

Hi @ibarra-michelle, to eliminate possibility of local browser context, can you try this in incognito mode?

Conclusion: In incognito mode, AC1.2 has been validated for organization users, where the org user is redirected to the EPA Gateway, prompted to type in their PIV pin, and then redirected back to ECMPS dev app as a logged in user.

lgiannini1 commented 1 month ago

Authentication flow confirmed on dev with non-EPA CDX accounts.