Open fyliu opened 1 year ago
I'm not sure if the role, stakeholder, feature labels are right.
I feel the "Infrastructure" feature might be wrong on this. Should this be under something like "Authentication"?
the labels are correct. Discussed during meeting with Fang and team.
In OAuth2, there's the concept of app clients that are granted access to authenticate against cognito. The client_secret
is one way to determine that a client is who it says it is. It's essentially a password.
But the client_secret
is only for use by something that can protect secrets, such as backend servers. For frontends and mobile apps, they would use app clients that don't require a client_secret
. They would need to verify their identities some other way.
This issue is interested in securing for frontends where the client_secret
doesn't apply.
API key is a little different than what we initially thought
djangorestframework-api-key
and django-oauth-toolkit
can create API keys if we need itWe are going to use Cognito client secrets so that when a user logs into vrms or ctj (client systems), and the client system makes a request to authenticate that user and then show them data, we will know its coming from a client system
We already have a work issue #242 to integrate with cognito using a client secret. It looks like that issue's dependency #241 is closed and we need to point to the new issue @ethanstrominger made #323, if the PR for it has the same problem of working only with client secret
disabled.
[ ] if #324 doesn't use client secret
, update #242 to point to #323
[ ] close this issue as done since there's a work issue for it and #328 also creates API clients with client secret
enabled.
Putting this in the ice box until that PR is completed.
Dependency
324
Overview
As discussed in #147, we need to implement app tokens in addition to user cognito tokens so we can restrict access to approved apps only. i.e. VRMS, website, CTJ.
147
Action Items
research ways to add app tokens in django and DRFcompare a few if there's many and write a decision record (DR) on why we should choose onecreate a work issue to implement the app tokenclient secret
, update #242 to point to #323client secret
enabled.Resources/Instructions