Skip to content

Commit

Permalink
feat: tenant docs
Browse files Browse the repository at this point in the history
  • Loading branch information
rushtong committed Sep 23, 2024
1 parent 4ffce4c commit 402c87b
Showing 1 changed file with 17 additions and 2 deletions.
19 changes: 17 additions & 2 deletions docs/Authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,10 @@ sequenceDiagram

DUOS uses the [oidc-client-ts](https://github.com/authts/oidc-client-ts) library
to facilitate user authentication through either Google or Microsoft. Once authenticated,
the library provides DUOS with user claims information about the authenticated identity.
the library provides DUOS with user information about the authenticated identity and an
access token that can be verified/validated in a proxy layer that sits in front of each
service DUOS communicates with.

DSP's tenant requests claims that are [configured here](https://github.com/broadinstitute/terraform-ap-deployments/blob/master/azure/b2c/policies/SignUpOrSignin.xml.tftpl).
Once authenticated, the DUOS application will use the `oidc-client-ts` library to access
an identity's `access_token` and make API calls using it. All downstream API servers are
Expand Down Expand Up @@ -79,9 +82,21 @@ sequenceDiagram
UserManager -->> oidc-client-ts: clearStaleState
```

### DSP's B2C Tenant Choices
### DSP's B2C Tenant
![B2C Tenant Choice](b2c_tennant.png)

DSP maintains resources in Azure that allow for a customized tenant in
https://github.com/broadinstitute/terraform-ap-deployments/tree/master/azure/b2c

* In `assets`, there is a unified_simple.html file that serves as a template for a sign-in page
* In `policies`, there is a `TrustFrameworkBase.xml.tftpl` that references that template
* In `policies`, there is a `TrustFrameworkBaseExtension.xml.tftpl` that references that TrustFrameworkBase
* In `policies`, there is a `SignUpOrSignin.xml.tftpl` that references that TrustFrameworkExtension

For DUOS, we have custom versions of each that have new profile name, `B2C_1A_signup_signin_duos_<env>`.
The profile name is used as a parameter to the OIDC tenant. The UI the tenant shows is based on
that profile name.

### Server Auth Flow

Back-end servers are each configured with a proxy that can verify a token
Expand Down

0 comments on commit 402c87b

Please sign in to comment.