Open yonatan-dp opened 2 months ago
Test case: create new account with non-EPA email in cdx dev (create login.gov account with same email):
After this, I attempted to log into cdx dev and received this error:
We made a change to how tokens are validated late yesterday. Can you retest once it is deployed? Will confirm deployment with Mark. I don't think the CORS error is related to the tokens or ICAM. Let me know once you retest and will recheck.
Issue: AC1.2 could not be validated as the org user logging in is not redirected to the EPA Gateway.
Description: I used my existed organization account, entered the user name, was prompted the redirect EPA Gateway message on the ECMPS home page, clicked the Sign In button, and was not redirected to a EPA Gateway screen. After clicking "Sign In," I was taken to the logged in view, where I could navigate to the Monitoring Plan, and "Open & Checkout" records.
We had a number of environment issues yesterday, almost all day.
Github was down and mock permissions were disabled when the app redeployed automatically after a build.
A deployment was done late yesterday after GitHub resolved the GitHub actions issue. Please retest.
We had a number of environment issues yesterday, almost all day.
Github was down and mock permissions were disabled when the app redeployed automatically after a build.
A deployment was done late yesterday after GitHub resolved the GitHub actions issue. Please retest.
Issue: AC1.2 is still could not be validated post the Tuesday, 05/21 deployments, specifically the org user logging in is not redirected to the EPA Gateway.
Hello @yonatan-dp , thanks for the update. I retested AC1.2 and am still not getting the expected result. I cleared my cache for the last 4-weeks, opened ECMPS dev, typed in my my org account username, and was not redirected to the EPA Gateway, and taken directly to the logged in view of ECMPS dev, where I can "Open & Checkout" Monitoring Plan records
We had a number of environment issues yesterday, almost all day. Github was down and mock permissions were disabled when the app redeployed automatically after a build. A deployment was done late yesterday after GitHub resolved the GitHub actions issue. Please retest.
Issue: AC1.2 is still could not be validated post the Tuesday, 05/21 deployments, specifically the org user logging in is not redirected to the EPA Gateway.
Hello @yonatan-dp , thanks for the update. I retested AC1.2 and am still not getting the expected result. I cleared my cache for the last 4-weeks, opened ECMPS dev, typed in my my org account username, and was not redirected to the EPA Gateway, and taken directly to the logged in view of ECMPS dev, where I can "Open & Checkout" Monitoring Plan records
Hi @ibarra-michelle, to eliminate possibility of local browser context, can you try this in incognito mode?
We had a number of environment issues yesterday, almost all day. Github was down and mock permissions were disabled when the app redeployed automatically after a build. A deployment was done late yesterday after GitHub resolved the GitHub actions issue. Please retest.
Issue: AC1.2 is still could not be validated post the Tuesday, 05/21 deployments, specifically the org user logging in is not redirected to the EPA Gateway. Hello @yonatan-dp , thanks for the update. I retested AC1.2 and am still not getting the expected result. I cleared my cache for the last 4-weeks, opened ECMPS dev, typed in my my org account username, and was not redirected to the EPA Gateway, and taken directly to the logged in view of ECMPS dev, where I can "Open & Checkout" Monitoring Plan records
Hi @ibarra-michelle, to eliminate possibility of local browser context, can you try this in incognito mode?
Conclusion: In incognito mode, AC1.2 has been validated for organization users, where the org user is redirected to the EPA Gateway, prompted to type in their PIV pin, and then redirected back to ECMPS dev app as a logged in user.
Authentication flow confirmed on dev with non-EPA CDX accounts.
User Story As an EASEY user, I want to be able to successfully login by using the new ICAM authentication servers So that I can perform my authorized actions in the EASEY system as usual.
Development Notes • Update Authorization Service to call new ICAM services instead of SOAP Services • Refactor as needed • Deprecate/remove SOAP service API end points • Update Guards
Based on discussions and email exchanges with the ICAM team and ERG/DPC, this is the Auth-flow that will be implemented
Error Post Redirect
Successful Login Post Redirect
Acceptance Criteria:
1) Login Functionality
AC1.1: The login page must only require a userID for login, and no password field should be present. AC1.2: Upon entering a valid userID, the system should redirect the user to the OIDC provider for authentication. AC1.3: Invalid userIDs should result in an appropriate error message being displayed without redirection to the OIDC provider. AC1.4: The system should handle the OIDC callback and log the user into the application upon successful authentication. AC1.5: Ensure session creation and user-specific data are correctly initialized upon successful login. AC1.6: Ensure facilities and roles are correctly retrieved from CAMD and are used for securing application resources correctly.
2) Token Refreshing Functionality
AC2.1: The application must automatically refresh the OIDC token before it expires without user intervention. AC2.2: The refreshed token should be valid, and user sessions must continue without requiring a re-login. AC2.3: If a token refresh fails, the user should be redirected to the login page with an appropriate error message.
3) Retrieving Organization Information for Users
AC3.1: The application must correctly fetch and display use information (first and last names) from the OIDC token claims post-login. AC3.2: Changes in organization information on the OIDC provider side should reflect in the application after a new login.
4) Token Validation
AC4.1: The application must validate OIDC tokens using the provider’s public keys to ensure they are genuine. AC4.2: Expired or tampered tokens should be rejected.
6) Login Scenarios for Different User Types Across Multiple Paths
AC6.1: Verify that both EPA and non-EPA users can successfully log in through all available paths (sign in, sign up, and migrate). AC6.2: User-specific redirections or flows (e.g., first-time login instructions for new users) should work as expected for both user types. AC6.3: Ensure that error handling and messages are appropriate for each scenario and user type. AC6.4: Post-login redirection to intended pages (or dashboards) must be correct depending on the user type and the authentication path used.