Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement ingest-api auth login from swagger #347

Open
5 tasks done
anayeaye opened this issue Apr 5, 2024 · 2 comments
Open
5 tasks done

Implement ingest-api auth login from swagger #347

anayeaye opened this issue Apr 5, 2024 · 2 comments
Assignees
@anayeaye

Comments

@anayeaye
Copy link
Collaborator

anayeaye commented Apr 5, 2024
edited
Loading

What

Currently administrators must manually post username and password to a token endpoint and copy paste the token from the response for ingest operations. Update this auth flow to follow the more standard redirect to auth provider for a secure username and password form entry and redirect to the swagger docs.

AC

  • token auth urls are configurable by veda environment
  • cognito user pool updated to allow callback to veda ingest api docs
  • admins in the cognito user pool associated with backend stack can login via swagger docs
  • whoami response demonstrates the token is valid
  • token endpoint removed if no longer functional
@anayeaye anayeaye self-assigned this Apr 16, 2024
@anayeaye
Copy link
Collaborator Author

UPDATE

Working
The feature/ingest_api/docs-auth-flow branch now

  1. collects the cognito domain from the environment (this is the pattern expected for veda-deploy which reads the cognito programmatic client secret and exports to the runner environment)
  2. The ingest api now infers the authorization and token urls from that cognito domain
  3. If the user pool is manually updated with the ingest API url, then when a user clicks the authorize button in the swagger docs they are redirected temporarily to the cognito hosted UI to provide username and password and the directed back to the docs.

Needs work
I put some time into programmatically updating the user pool client's hosted UI to add the ingest-api docs callback url using a custom resource + AwsSdkCall. I have backed these changes out to reconsider the approach.

Issue comment that inspired the spike
AWS Custom Resources SdkCall
Update user pool client docs

This snippet adds the desired callback url but stomps the rest of the hosted ui configuration including existing callback urls

from aws_cdk import custom_resources as cr
# Append api to cognito client allowed callback urls with an AwsSdkCall
        stack_name = Stack.of(self).stack_name
        oauth_redirect_url = f"{self.api.url.rstrip('/')}/docs/oauth2-redirect"
        callback_urls = [oauth_redirect_url]
        cr.AwsCustomResource(
            self,
            id="UpdateClientCallbackUrls",
            function_name=f"{stack_name}-UpdateClientCallbackUrls",
            policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
                resources=cr.AwsCustomResourcePolicy.ANY_RESOURCE
            ),
            on_create=cr.AwsSdkCall(
                service="@aws-sdk/client-cognito-identity-provider",
                action="UpdateUserPoolClientCommand",
                parameters={
                    "UserPoolId": config.userpool_id,
                    "ClientId": config.client_id,
                    "CallbackURLs": callback_urls,
                },
                physical_resource_id=cr.PhysicalResourceId.from_response("UserPoolClient.ClientId"),
            ),
            on_update=cr.AwsSdkCall(
                service="@aws-sdk/client-cognito-identity-provider",
                action="UpdateUserPoolClientCommand",
                parameters={
                    "UserPoolId": config.userpool_id,
                    "ClientId": config.client_id,
                    "CallbackURLs": callback_urls,
                },
                physical_resource_id=cr.PhysicalResourceId.from_response("UserPoolClient.ClientId"),
            ),
        )

These important configs for the Hosted UI get wiped out by the above AwsSdkCall
Identity providers
Cognito user pool directory
OAuth grant types
Authorization code grant
OpenID Connect scopes
aws.cognito.signin.user.admin
email
openid
phone
profile

@anayeaye
Copy link
Collaborator Author

#356

@botanical botanical mentioned this issue Apr 29, 2024
Merged
botanical added a commit that referenced this issue Apr 29, 2024
@botanical
fix: update get_username function (#365)
28afca4 
### Issue

NASA-IMPACT/veda-data-airflow#134
#347

### What?

- Update get_username to fall back on `sub` if `username` doesn't exist
in token
- Added some more logging statements to make debugging easier in the
future

### Why?

- This fix is to enable a successful workflows API run since the
workflow API passes a token to backend API and it's currently erroring
- Also, `sub` is a more definitive identifier because it represents a
unique identifier compared to `username`

### Testing?

- Relevant testing details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anayeaye anayeaye

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@anayeaye