Simplify OIDC implementation

artefactual-sdps / enduro

A tool to support ingest and automation in digital preservation workflows

https://enduro.readthedocs.io/

Apache License 2.0

4 stars 3 forks source link

Simplify OIDC implementation #962

Closed jraddaoui closed 3 months ago

jraddaoui commented 3 months ago

Remove client secret config. It's not used to verify the tokens. It will be added back if we implement a BFF flow with client credentials.
Expect a single client in the OIDC provider. Since the secret is not needed, we don't need another client nor cross-client audience config.

Refs #957.

codecov[bot] commented 3 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 51.31%. Comparing base (1dcfffc) to head (4ce83bb).

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #962 +/- ## ======================================= Coverage 51.31% 51.31% ======================================= Files 102 102 Lines 5679 5679 ======================================= Hits 2914 2914 Misses 2521 2521 Partials 244 244 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

jraddaoui commented 3 months ago

The current implementation uses the the authorization code flow (with PKCE) from the UI to obtain the token and validates it against the provider from the API on each request. These changes just remove unnecessary pieces from that implementation, as the secret is not used to verify the tokens either, we don't need the cross-client support.

We'll probably change this at some point to use a more secure Backend For Frontend (BFF) flow, where we'll get the token from the backend using client credentials.