search

cedardevs / onestop

OneStop is a data discovery system being built by CIRES researchers on a grant from the NOAA National Centers for Environmental Information. We welcome contributions from the community!
GNU General Public License v2.0
43 stars 21 forks source link

Use the JWT in Gateway API #1295

Open dneufeldcu opened 4 years ago

dneufeldcu commented 4 years ago

Summary

As a developer
I want to be able to complete an unfinished task associated with logins
So that I can have user profile and role available to the Gateway API

The idea here is that OneStop Gateway will handle all communication with external identity providers (IdP), which is login.gov in this case.

When a request comes into Gateway, it will proxy to other OneStop services that provide web APIs, such as the user/saved search API, and the search API.

When it proxies to a protected endpoint, it will take steps to authenticate the user with login.gov (Oauth2 + OIDC) -- that much is done. But then, before proxying the request, it will hit the User API to get ROLES for that user (hence why this is blocked by #1294 ). Gateway may need a functional user account that has access to a /user/roles/{id} endpoint. Once the ROLES are received, Gateway will build a JWT with those ROLES as claims. It will finally pass that JWT in the Authorization header.

The apps that receive this JWT will need to have access to a public key (JWK) to verify that Gateway signed it. Gateway should provide an endpoint for this, like login.gov's /api/openid_connect/certs.

Currently the problem is that the Gateway app passes an access_token to the User API, which then hits login.gov to get user_info. This is no bueno. It does it every time the user makes a request to the API.

Tasks

caesterlein commented 4 years ago

Write up with logs on why we need this JWT-

https://docs.google.com/document/d/1YRpvQxfOD2I3R5_pK4QgOG79Lx8quAnUiO5TEhbkRXM/edit?usp=sharing