Goal
Users need to be authenticated/authorized to use MPIC. To do that we have a login screen where user has to enter credentials (username/password) and these will be authenticated using CAS-SSO.
We have to keep in mind that all routes require authentication and authorization except where noted otherwise (so far the /api/v1/instrument API endpoint we currently have).
From the Instrument Configurator - Design Document:
We propose authenticating and authorizing users using OpenID Connect, implemented in openid-client, and
CAS-SSO as the OpenID Connect Issuer. Because the app will not make API requests to any third parties, we propose
implementing the Authorization Code Flow and storing the user identity, session ID, and an
HMAC in an httpOnly session cookie (herein “the session cookie”).
AC
- Add the MPIC idp client configuration (Done by the SRE team at T361341: Add the MPIC idp client configuration)
- Get a client_id/client_secret to use IDP (Done by the SRE tream)
- In the case we need user roles, we can create our own one (mpic-admins for example) and file a ticket to ask for the role creation (sample ticket: T358650: Create superset-admins LDAP group and populate with the current list of Admins from the production instance.)
- We have implemented authentication and authorization mechanism using the Authorization Code Flow
- Users can log in
- Users can log out
Notes
- openid-client library for nodejs
- Authorization Code Flow
- Wikitech documentation for CAS-SSO
- There is a https://idp-test.wikimedia.org/ which we should be able to use while developing locally