ergjustin
commented
2 days ago @maheese
-
Following ICAM implementation, users cannot generate security tokens via Swagger page/ direct API call, causing workspace export, import, and edit functionalities to fail due to missing token authentication.
When login ECMPS 2.0, it requires integration with login.gov and a number of web redirects, and after that it generates a security token.( Document)
• The client makes a determine policy call to Auth API • Auth API makes a determine policy call to the OIDC provider • OIDC provider and thus Auth API responds with one of _SIGNIN, _MIGRATE, or _SIGNUP policy. • The client forwards the user to the Auth endpoint of the OIDC provider. • User completes authentication flow at the OIDC provider • When the user authentication process finishes, OIDC provider sends a POST request with an authorization code back to the AUTH Api (/oauth2/code endpoint) • Auth API validates the authentication result (nonce and state values), exchanges the auth code for an access token, retrieve the user's CDX roles, and retrieve the user's CBS facilities and permissions, creates a user session and finally redirects the user back to the home page as a logged-in user
-
API_KEY is required for all APIs. and Workspace APIs required token too.
-
To exclude unwanted Swagger endpoints, implement the approach used in the API exclude from swager commit.
-
The workspace API requires security token, API calls through swagger page will be unsuccessful. Should remove the all workspace API from the Swagger page?
-
Is it okay remove token validation related APIs from swagger? (auth-api)
We received a request tracker ticket asking about the use of the ECMPS 2.0 API. A bearer token is required to use any of the API endpoints that interact with the workspace: including exporting, importing, or updating data; evaluating data; and submitting data. To obtain a bearer token the user must be authenticated through CDX/ICAM.