search

wellcomecollection / identity

Identity services for Wellcome Collection users
MIT License
0 stars 2 forks source link

Adds an Auth0 client for the IIIF Image APIs #405

Closed kenoir closed 2 months ago

kenoir commented 2 months ago

What does this change?

This change adds an Auth0 client for the staging and production tenants. This is required in order to allow the IIIF Image APIs to authenticate and authorize users to view restricted images.

This change creates secrets in the Digirati AWS account that can be consumed to configure the Image API service at the paths:

Related to: https://github.com/wellcomecollection/identity/pull/403

Part of: https://github.com/wellcomecollection/platform/issues/5747

[!WARNING] This terraform change is applied, until this is merged other terraform changes are blocked.

terraform plan

Terraform will perform the following actions:

  # auth0_client.iiif_image_api will be created
  + resource "auth0_client" "iiif_image_api" {
      + allowed_logout_urls                 = [
          + "https://iiif.wellcomecollection.org/auth/v2/access/2/eden/logout",
        ]
      + app_type                            = "regular_web"
      + callbacks                           = [
          + "https://iiif.wellcomecollection.org/auth/v2/access/eden/oauth2/callback",
        ]
      + client_id                           = (known after apply)
      + client_secret                       = (sensitive value)
      + custom_login_page_on                = (known after apply)
      + grant_types                         = [
          + "authorization_code",
          + "refresh_token",
          + "implicit",
          + "client_credentials",
        ]
      + id                                  = (known after apply)
      + is_first_party                      = true
      + is_token_endpoint_ip_header_trusted = (known after apply)
      + name                                = "IIIF Image API"
      + oidc_conformant                     = (known after apply)
      + signing_keys                        = (sensitive value)
      + token_endpoint_auth_method          = (known after apply)
    }

  # module.secrets_iiif_image_api.aws_secretsmanager_secret.secret["wellcome/identity/prod/iiif_image_api/auth0_client_id"] will be created
  + resource "aws_secretsmanager_secret" "secret" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = "wellcome/identity/prod/iiif_image_api/auth0_client_id"
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags_all                       = {
          + "Environment"               = "prod"
          + "ManagedBy"                 = "Terraform"
          + "Project"                   = "Identity"
          + "TerraformConfigurationURL" = "https://github.com/wellcomecollection/identity/tree/main/infra/scoped"
        }
    }

  # module.secrets_iiif_image_api.aws_secretsmanager_secret.secret["wellcome/identity/prod/iiif_image_api/auth0_client_secret"] will be created
  + resource "aws_secretsmanager_secret" "secret" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = "wellcome/identity/prod/iiif_image_api/auth0_client_secret"
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags_all                       = {
          + "Environment"               = "prod"
          + "ManagedBy"                 = "Terraform"
          + "Project"                   = "Identity"
          + "TerraformConfigurationURL" = "https://github.com/wellcomecollection/identity/tree/main/infra/scoped"
        }
    }

  # module.secrets_iiif_image_api.aws_secretsmanager_secret_version.secret["wellcome/identity/prod/iiif_image_api/auth0_client_id"] will be created
  + resource "aws_secretsmanager_secret_version" "secret" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # module.secrets_iiif_image_api.aws_secretsmanager_secret_version.secret["wellcome/identity/prod/iiif_image_api/auth0_client_secret"] will be created
  + resource "aws_secretsmanager_secret_version" "secret" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

Plan: 5 to add, 0 to change, 0 to destroy.

How to test

The Digirati test client should allow users to sign-in without error: https://tomcrane.github.io/iiif-auth-client/?manifest=https://iiif.wellcomecollection.org/presentation/b20146267

How can we measure success?

Users for the Wellcome Collection with the appropriate roles can view restricted images.

Have we considered potential risks?

We must be careful that this change does not modify or delete any existing resources! The terraform apply indicates this is not the case.