Researching AuthN/AuthZ Solutions

[JoeTice]

Description

Following the understanding of user flows, and technical requirements, the next phase in the epic to implement Authentication & Authorization for Preview Environments is to research potential solutions. This involves exploring various Authentication & Authorization tools, technologies, and methodologies that can meet the identified needs.

---

Tasks

• [x] Research Authentication & Authorization tools and technologies suitable for our technical stack and requirements.
• [x] Evaluate potential solutions based on their features, scalability, security, and cost.
• [x] Determine how potential solutions could fit with the defined user flows and use cases.
• [x] Prepare a recommendation report outlining potential solutions, their pros and cons, and how they meet the needs identified in the previous phase.

Acceptance Criteria

• [x] Identification of potential Authentication & Authorization tools and technologies.
• [x] Evaluation of potential solutions against requirements.
• [x] Analysis of how potential solutions fit with defined user flows and use cases.
• [x] A detailed recommendation report highlighting potential solutions, their pros and cons, and their suitability for our needs.

[gia-lexa]

Possibilities so far are listed below. I've gone through Confluence to find other possible tooling, though that searching is pretty broad. Also began investigating what might make the most sense in terms of integrating with GHA. Next focus is on exploring TUD as it used Github Ouath.

1. Github Oauth - compulsory glance makes this sound particularly attractive because it seems likely to integrate well with GHA; need to confirm if the libraries available are already being used on the Platform
2. Platform Console
3. Test User Dashboard
4. In-code Solution
5. Discovery: Anything else that already exists in the Platform or has existed in the Platform which may provide the Authn/Authz mechanisms required.

[JoeTice]

Sprint 28 Update - IN PROGRESS - Research is being conducted on this, we anticipate on settling on a path this sprint. Work will be completed in Sprint 29

[gia-lexa]

Adding info on GH OAuth and TUD's use of it as an auth mechanism

[gia-lexa]

Adding info on Platform Console's use of Login.gov, adding more details about GHOAuth (outline possible steps to instantiate using a GitHub Action, etc), reading information about ID.me.

For this action item, "Evaluate potential solutions based on their features, security, and cost", need to determine who in the org could provide insight on cost.

[gia-lexa]

Finished research about Login.gov; researched the three somewhat tangential third party apps—ID.me, MHV, and DS Login, and wrote the evaluation of them of as possibilities; started list of questions for technical stakeholders.

[gia-lexa]

Questions for stakeholders; returned to OAuth to detail how it could be utilized and if this is truly feasible for our purposes.

[gia-lexa]

Met with team members to discuss two usage flows related to oauth; diagramming each. Need to meet with a frontend team member to determine how a landing page will work for second user flow.

[gia-lexa]

Determined that having separate flows for the author of a PR versus everyone else in the org could increase confusion. Focusing instead on how we could present a landing page to all users once a PE has been configured for auth. Also filled out more details about other options and why GitHub Oauth covers more of our needs.

[gia-lexa]

Finished researching and adding details about how a dockerized PE might include oauth, included happy path workflow; added comparison of Login.gov vs GitHub OAuth; added more details about the incurred overhead if we use a third party app that only provides authentication rather than authentication and authorization. Added details to document.