Background/Goal
Deliver working prototype for MP Instrumentation Configuration (MPIC) T360647
This epic captures the collection of user stories and tasks related to the authentication and authorization of services in the MPIC application.
The MPIC standalone app must support OpenID and/or OAuth.
OpenID will allow us to authenticate users and authorize users using the Wikitech account via CAS-SSO. This flow is familiar to users who have authenticated with various Wikimedia-hosted apps, e.g. Superset and Turnilo.
The proposed authentication and authorization is OpenID Connect, implemented in openid-client, and CAS-SSO as the OpenID Connect Issuer. Because the app will not make API requests to any third parties, we propose implementing the Authorization Code Flow and storing the user identity, session ID, and an HMAC in an httpOnly session cookie (herein “the session cookie”).
KR/Hypothesis(Initiative)
SDS 2.5.5
If we build a service for instrument configuration, we can deliver a prototype that is flexible enough to scale in order to integrate with our future experimentation flagging solution.
Success metrics
- How we will measure success?
End users of the MPIC application are required to authenticate/authorize where applicable (protected routes).
In scope
- known scope:
- Security review of openid-client
- Has it already been security reviewed?
- Request new LDAP group for users of the app
- Implement Authorization Code Flow in app
- Implement post-auth flow LDAP group check
- Implement generic Double Submit Cookie methods for use when displaying forms
- Generate
- Validate
- Security review of openid-client
Out of Scope
- known boundaries TK