Authentication & Authorisation

[fredx30]

This concerns the implementation of OpenID Connect as a mechanism for authentication and eventually possibly also and implementation of authorisation.
TODOs ->

• Review callback url:s for the azure app reg.
• Investigate getting delegated controll for the app reg.
• Write down thoughts about nice-to-haves.
• Write down must haves.

Documentation

• Document - OIDC Configuration Process #91
• Document - Wharf Configuration Process
  • Auth config - via helm-values. Add values for oidc validation config. wharf-helm#45
  • Auth config - via docker-compose
  • Auth config - running as a binary

Changes for swagger

• Enable auth for interaction
• Whitelist swagger app

Changes wharf web

• Initial tracerbullet Authentication wharf-web#70
  • Insecure warning? (when querying backend on http) - This may be sufficiently handled by the browser.
  • Warning http request fail 401
  • Warning http request fail 403
  • Redirection to /unauthorized?
  • Redirection to /forbidden?
  • Automatic redirection to login on 401 error? (This sort of solves the issues of requireing login for the intro screen)
• Improve error handling
• Simplifying configuration
  • https://github.com/iver-wharf/wharf-web/pull/138/files

Changes for the api regarding authentication

• Solve cors config for local-dev, docker-dev, and k8s type configurations. Allow cred/authorization header CORS wharf-api#101
• Initial tracerbullet Add OIDC access token validation wharf-api#107

Changes to wharf-helm

• Add frontend configuration to helm-values file. Add web OIDC config wharf-helm#31
• Add backend configuration to the helm-values file. Add values for oidc validation config. wharf-helm#45

Changes api to implement authorization

• Paths/Path-groups need to individually verify scopes from the token.
• Communicate with admins for the app reg about creating groups and delegating controll to controll over included poeple.