=== Goal
Users need to be authenticated/authorized to use MPIC. To do that we have a login screen where user has to enter credentials (username/password) and these will be authenticated using CAS-SSO.
We have to keep in mind that all routes require authentication and authorization except where noted otherwise (so far the `/api/v1/instrument` API endpoint we currently have).
From the [[https://docs.google.com/document/d/1ShOnODmq_RnRWE2h4oHIxyrCUDSjdL2zqDfT3aHp_lo|Instrument Configurator - Design Document]]:
> We propose authenticating and authorizing users using OpenID Connect, implemented in [[https://www.npmjs.com/package/openid-client|openid-client]], and
> [[https://www.npmjs.com/package/openid-client|CAS-SSO]] as the OpenID Connect Issuer. Because the app will not make API requests to any third parties, we propose
> implementing the [[https://www.npmjs.com/package/openid-client#authorization-code-flow|Authorization Code Flow]] and storing the user identity, session ID, and an
> HMAC in an httpOnly session cookie (herein “the session cookie”).
=== AC
[v] Add the MPIC idp client configuration (Done by the SRE team at {T361341})
[v] Get a client_id/client_secret to use IDP (Done by the SRE tream)
[] In the case we need user roles, we can create our own one (`mpic-admins` for example) and file a ticket to ask for the role creation (sample ticket: {T358650}
[] We have implemented authentication and authorization mechanism using the Authorization Code Flow
[] Users can log in
[] Users can log out
=== Notes
- [[https://www.npmjs.com/package/openid-client|openid-client library for nodejs]]
- [[https://www.npmjs.com/package/openid-client#authorization-code-flow|Authorization Code Flow]]
- [[https://wikitech.wikimedia.org/wiki/CAS-SSO|Wikitech documentation for CAS-SSO]]