AR5 - The system shall incorporate an OAuth-based identity management solution to verify user identities securely through an approved identity provider.

beedawn commented 2 months ago

Title: AR5 Priority: Medium Estimation: 5 Risk: Low Requirement: AR5

User Story 

The system shall incorporate an OAuth-based identity management solution to verify user identities securely through an approved identity provider.

Acceptance Criteria 

Given the user is on the login page, When the user selects an OAuth identity provider and completes the authentication process, Then the user is logged into the system and can access their account securely.

Definition of Done

[ ] An OAuth-based identity provider is selected and configured.
[ ] Backend logic for handling OAuth authentication flows is implemented.
[ ] Frontend is updated to include OAuth-based login options.
[ ] Secure access tokens are generated, validated, and managed for authenticated sessions.
[ ] User data is securely stored and linked to the OAuth provider.
[ ] Unit and integration tests for the OAuth authentication process are written and passed.
[ ] Documentation is updated with setup, usage, and troubleshooting instructions.
[ ] Code is reviewed, approved, and deployed successfully.

beedawn commented 1 month ago

https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/b9144011-19ec-4819-8bb8-0697755b0cad/appId/53d63a26-224c-4934-ba66-a31a2a06870e/preferredSingleSignOnMode~/null/servicePrincipalType/Application/fromNav/

beedawn commented 1 month ago

https://pennstateoffice365.sharepoint.com/sites/PSUWebSSO

beedawn commented 1 month ago

moved to in progress 10/3

tristanhamid commented 1 month ago

https://aad.portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Authentication/appId/53d63a26-224c-4934-ba66-a31a2a06870e

This link of Entra admin center is more useful for the OAuth.

So far, I've generated the client secret for our application. One note: the applicationID is the same as the clientID.

Also, I've generated the redirect like which I believe will work correctly when we test http://localhost:3000/auth/callback

Next steps are to correctly configure the .env file

PENN_STATE_OAUTH_CLIENT_ID=our-application-id  
PENN_STATE_OAUTH_CLIENT_SECRET=our-client-secret 
PENN_STATE_OAUTH_REDIRECT_URI=http://localhost:3000/auth/callback
PENN_STATE_OAUTH_AUTHORIZATION_URL=https://login.microsoftonline.com/{penn_state_tenant_id}/oauth2/v2.0/authorize
PENN_STATE_OAUTH_TOKEN_URL=https://login.microsoftonline.com/{penn_state_tenant_id}/oauth2/v2.0/token

Then I believe all I have to do is correctly configure the fastAPI app to correctly route this /auth/callback. I will test to see how this functionality works.

@app.get("/auth/callback")
async def auth_callback(request: Request):
    token = await oauth.pennstate.authorize_access_token(request)
    user = await oauth.pennstate.parse_id_token(request, token)
    return user #to the landing page of the frontend application?

I still need to explore more on where to redirect the user, to get them back to the correct page.

Finally, I will need to grant access to the stakeholder researchers of Dr. Dusan and Co. under Manage > Users and groups at the following link: https://aad.portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/53d63a26-224c-4934-ba66-a31a2a06870e

tristanhamid commented 1 month ago

For now, assigning back into "Ready" and working on more relevant work (US-24 and US-24) since those are newly created P0 items and this is a P1 item. This change was made following a discussion with the team yesterday.

beedawn / scrapescholar