Implement authorization code flow with Azul and Data Browser (#7954)

[hannes-ucsc]

Linked issues: #7954

Notes

This PR has the upgrade label. Operator to add the required CL items to this PR and the corresponding promotion PR.

Checklist

Author

• PR is assigned to the author
• Status of PR is In progress
• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• PR is linked to all issues it (partially) resolves
• Status of linked issues is In progress
• PR description links to linked issues
• PR title matches¹ that of a linked issue _{or comment in PR explains why they're different}
• PR title references all linked issues
• For each linked issue, there is at least one commit whose title references that issue

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

• Added p tag to titles of partial commits
• This PR is labeled partial _{or completely resolves all linked issues}
• This PR partially resolves each of the linked issues _{or does not have the partial label}

Author (reindex)

• Added r tag to commit title _{or the changes introduced by this PR will not require reindexing of any deployment}
• This PR is labeled reindex:dev _{or the changes introduced by it will not require reindexing of dev}
• This PR is labeled reindex:anvildev _{or the changes introduced by it will not require reindexing of anvildev}
• This PR is labeled reindex:anvilprod _{or the changes introduced by it will not require reindexing of anvilprod}
• This PR is labeled reindex:prod _{or the changes introduced by it will not require reindexing of prod}
• This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod _{or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod}

Author (mirror)

• This PR is labeled mirror:dev _{or the changes introduced by it will not require mirroring of dev}
• This PR is labeled mirror:anvildev _{or the changes introduced by it will not require mirroring of anvildev}
• This PR is labeled mirror:anvilprod _{or the changes introduced by it will not require mirroring of anvilprod}
• This PR is labeled mirror:prod _{or the changes introduced by it will not require mirroring of prod}
• This PR is labeled mirror:partial and its description documents the specific mirroring procedure for dev, anvildev, anvilprod and prod _{or requires a full mirroring or carries none of the labels mirror:dev, mirror:anvildev, mirror:anvilprod and mirror:prod}

Author (API changes)

• This PR and its linked issues are labeled API _{or this PR does not modify a REST API}
• Added a (A) tag to commit title for backwards (in)compatible changes _{or this PR does not modify a REST API}
• Updated REST API version number in app.py _{or this PR does not modify a REST API}

Author (upgrading deployments)

• Ran make docker_images.json and committed the resulting changes _{or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable}
• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading deployments}
• Added u tag to commit title _{or this PR does not require upgrading deployments}
• This PR is labeled upgrade _{or does not require upgrading deployments}
• This PR is labeled deploy:shared _{or does not modify docker_images.json, and does not require deploying the shared component for any other reason}
• This PR is labeled deploy:gitlab _{or does not require deploying the gitlab component}
• This PR is labeled deploy:runner _{or does not require deploying the runner image}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any linked issues _{or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues linked to this PR}

Author (before every review)

• Rebased PR branch on develop, squashed fixups from prior reviews
• Ran make requirements_update _{or this PR does not modify Dockerfile, environment, requirements*.txt, common.mk, Makefile or environment.boot}
• Added R tag to commit title _{or this PR does not modify requirements*.txt}
• This PR is labeled reqs _{or does not modify requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not modify functionality that could affect the IT outcome}
• PR is awaiting requested review from a peer
• Status of PR is Review requested
• PR is assigned to only the peer and the author

Peer reviewer (after approval)

Note that after requesting changes, the PR must be assigned to only the author.

• Actually approved the PR
• PR is not a draft
• PR is awaiting requested review from system administrator
• Status of PR is Review requested
• PR is assigned to only the system administrator and the author

System administrator (after approval)

• Actually approved the PR
• Labeled linked issues as demo or no demo
• Commented on linked issues about demo expectations _{or all linked issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• A comment to this PR details the completed security design review
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Status of PR is Approved
• PR is assigned to only the operator and the author

Operator

• Checked reindex:… labels and r commit title tag
• Checked mirror:… labels
• Checked that demo expectations are clear _{or all linked issues are labeled no demo}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub

Operator (deploy .shared and .gitlab components)

• Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Checked the items in the next section _{or this PR is labeled deploy:gitlab}
• PR is assigned to only the system administrator and the author _{or this PR is not labeled deploy:gitlab}

System administrator (post-deploy of .gitlab component)

• Background migrations for dev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvildev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• PR is assigned to only the operator and the author

Operator (deploy runner image)

• Ran _select dev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvildev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}

Operator (sandbox build)

• Added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab dev _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in sandbox}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in anvilbox}
• Started reindex in sandbox _{or this PR is not labeled reindex:dev}
• Started reindex in anvilbox _{or this PR is not labeled reindex:anvildev}
• Checked for failures in sandbox _{or this PR is not labeled reindex:dev}
• Checked for failures in anvilbox _{or this PR is not labeled reindex:anvildev}
• Started mirroring in sandbox _{or this PR is not labeled mirror:dev}
• Started mirroring in anvilbox _{or this PR is not labeled mirror:anvildev}
• Checked for failures in sandbox _{or this PR is not labeled mirror:dev}
• Checked for failures in anvilbox _{or this PR is not labeled mirror:anvildev}

Operator (merge the branch)

• All status checks passed and the PR is mergeable
• The title of the merge commit starts with the title of this PR
• Added PR # reference to merge commit title
• Collected commit title tags in merge commit title _{but only included p if the PR is also labeled partial}
• Pushed merge commit to GitHub
• Status of PR is Merged lower
• Status of blocked issues is Triage _{or no issues are blocked on the linked issues}

Operator (main build)

• Pushed merge commit to GitLab dev
• Pushed merge commit to GitLab anvildev
• Build passes on GitLab dev
• Reviewed build logs for anomalies on GitLab dev
• Build passes on GitLab anvildev
• Reviewed build logs for anomalies on GitLab anvildev
• Ran _select dev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}

Operator (upgrading)

• Followed instructions in UPGRADING.rst for dev
• Followed instructions in UPGRADING.rst for anvildev

Operator (main build cont'd)

• Deleted PR branch from GitHub
• PR is assigned to only the operator
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev
• Status of linked issues is Lower, or Triage, if PR is partial

Operator (reindex)

• Deindexed all unreferenced catalogs in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed all unreferenced catalogs in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Deindexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Indexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Indexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Started reindex in dev _{or this PR does not require reindexing dev}
• Started reindex in anvildev _{or this PR does not require reindexing anvildev}
• Checked for, triaged and possibly requeued messages in both fail queues in dev _{or this PR does not require reindexing dev}
• Checked for, triaged and possibly requeued messages in both fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Emptied fail queues in dev _{or this PR does not require reindexing dev}
• Emptied fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Restarted the Data Browser pipeline for the ucsc/hca/dev branch on GitLab in dev _{or this PR does not require reindexing dev}
• Restarted the Data Browser pipeline for the ucsc/lungmap/dev branch on GitLab in dev _{or this PR does not require reindexing dev}
• Restarted deploy_browser job in the GitLab pipeline for this PR in dev _{or this PR does not require reindexing dev}
• Restarted the Data Browser pipeline for the ucsc/anvil/anvildev branch on GitLab in anvildev _{or this PR does not require reindexing anvildev}
• Restarted deploy_browser job in the GitLab pipeline for this PR in anvildev _{or this PR does not require reindexing anvildev}

Operator (mirroring)

• Started mirroring in dev _{or this PR is not labelled mirror:dev}
• Started mirroring in anvildev _{or this PR is not labelled mirror:anvildev}
• Checked for, triaged and possibly requeued messages in mirror fail queue in dev _{or this PR is not labelled mirror:dev}
• Checked for, triaged and possibly requeued messages in mirror fail queue in anvildev _{or this PR is not labelled mirror:anvildev}
• Emptied mirror fail queue in dev _{or this PR is not labelled mirror:dev}
• Emptied mirror fail queue in anvildev _{or this PR is not labelled mirror:anvildev}

Operator

• Propagated Operator (upgrading) section relevant to the promotion PRs
• Propagated the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod, reindex:prod, mirror:partial, mirror:anvilprod and mirror:prod labels to the next promotion PRs _{or this PR carries none of these labels}
• Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod, reindex:prod, mirror:partial, mirror:anvilprod and mirror:prod labels, from the description of this PR to that of the next promotion PRs _{or this PR carries none of these labels}
• PR is assigned to no one

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[codecov]

Codecov Report

❌ Patch coverage is 61.68224% with 41 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.93%. Comparing base (e24cb4a) to head (7c0f020).
⚠️ Report is 11 commits behind head on develop.

Files with missing lines	Patch %	Lines
src/azul/service/user_controller.py	61.76%	13 Missing ⚠️
test/integration_test.py	0.00%	11 Missing ⚠️
src/azul/service/user_service.py	59.09%	9 Missing ⚠️
src/azul/oauth2.py	77.77%	8 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #7961      +/-   ##
===========================================
- Coverage    85.01%   84.93%   -0.08%     
===========================================
  Files          162      164       +2     
  Lines        23341    23422      +81     
===========================================
+ Hits         19843    19894      +51     
- Misses        3498     3528      +30     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coveralls]

coverage: 85.017% (-0.08%) from 85.093% — issues/hannes-ucsc/7954-oauth-flow into develop

[hannes-ucsc]

This comment was generated by Claude Code.

Security Design Review

PR: Implement authorization code flow with Azul and Data Browser (#7954)
Scope: New POST /user/authorize endpoint, UserController, UserService, refactoring of OAuth2Client into OAuth2Client + CredentialedClient

Architecture Summary

This PR implements the Backend-for-Frontend (BFF) pattern for OAuth 2.0 authorization code exchange. A browser-based SPA (Data Browser) obtains an authorization code from Google's authorization server via the Google Sign-In JS library, then sends that code to Azul's new /user/authorize endpoint. Azul exchanges the code for tokens server-side using the client secret, strips the refresh token, and returns the access token and ID token to the browser.

Positive Security Properties

1. BFF pattern correctly applied: The client secret never reaches the browser. The refresh token is explicitly stripped (response.pop('refresh_token')) before returning to the client. This follows the IETF draft best practice for browser-based apps (draft-ietf-oauth-browser-based-apps, section 6.1).

2. Client secret stored in AWS Secrets Manager (user_service.py:28-31): Fetched on each invocation (not cached in memory long-term), limiting exposure window.

3. Type validation on request and response: Both the incoming Authorization and outgoing TokenForCodeResponse are validated with is_of_type(), ensuring structural conformance. Unknown request fields are stripped via the annotation-key filter (user_controller.py:141-145).

4. Security headers: The existing middleware applies HSTS, CSP (default-src 'self', frame-ancestors 'none'), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and X-XSS-Protection.

5. redirect_uri: 'postmessage' is the correct, standard approach for Google's JS-library-initiated authorization code flows, and restricts code exchange to the postMessage channel.

6. No authentication required (interactive=False): Correct — this endpoint IS the authentication mechanism. Requiring prior auth would be circular.

Findings

Finding 1 (Low, fixed): Scope check used substring matching
user_service.py:38: 'openid' in authorization['scope'] performed a Python substring check on the scope string. Fixed by splitting on whitespace before checking membership.

Finding 2 (Low, accepted): Token values in assertion message
user_service.py:47: assert 'id_token' in response, response uses the full TokenForCodeResponse dict (containing access_token, refresh_token) as the assertion message. This is a bare assertion (not wrapped in R()), so it correctly propagates as a 500 internal error rather than a 400. Chalice's _unhandled_exception_to_response() returns the full traceback (including the assertion message) only when debug is True (AZUL_DEBUG > 1). In production and shared deployments (AZUL_DEBUG 0 or 1), the client receives a generic InternalServerError message. The token values do appear in CloudWatch logs via exc_info=True, but that is server-side only. Personal dev deployments with AZUL_DEBUG=2 would expose tokens in the HTTP response, but only to the developer using their own tokens.

Finding 3 (Informational): Wildcard CORS
cors=True in Chalice defaults to Access-Control-Allow-Origin: *. For this specific endpoint this is acceptable because: (a) it doesn't use cookies/credentials, (b) authorization codes are single-use and unguessable, and (c) the response only contains the caller's own tokens. Restricting origins to the Data Browser domain would be defense-in-depth but is not strictly necessary.

Finding 4 (Informational): PKCE not enforced client-side
The flow does not appear to enforce PKCE. Since the BFF holds a client secret, PKCE is not strictly required for security — an intercepted authorization code cannot be exchanged without the secret. Google may enforce PKCE server-side depending on client type configuration.

Conclusion

No blocking issues found. All findings are low or informational severity.

[hannes-ucsc]

Security design review

• Security design review completed; this PR does not …
  • … affect authentication; for example: Implement authorization code flow with Azul and Data Browser (#7954) #7961 (comment)
    • OAuth 2.0 with the application (API or Swagger UI)
    • Authentication of developers with Google Cloud APIs
    • Authentication of developers with AWS APIs
    • Authentication with a GitLab instance in the system
    • Password and 2FA authentication with GitHub
    • API access token authentication with GitHub
    • Authentication with Terra
  • … affect the permissions of internal users like access to
    • Cloud resources on AWS and GCP
    • GitLab repositories, projects and groups, administration
    • an EC2 instance via SSH
    • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
  • … affect the permissions of external users like access to
    • TDR snapshots
  • … affect permissions of service or bot accounts
    • Cloud resources on AWS and GCP
  • … affect audit logging in the system, like
    • adding, removing or changing a log message that represents an auditable event
    • changing the routing of log messages through the system
  • … affect monitoring of the system
  • … introduce a new software dependency like
    • Python packages on PYPI
    • Command-line utilities
    • Docker images
    • Terraform providers
  • … add an interface that exposes sensitive or confidential data at the security boundary
  • … affect the encryption of data at rest
  • … require persistence of sensitive or confidential data that might require encryption at rest
  • … require unencrypted transmission of data within the security boundary
  • … affect the network security layer; for example by
    • modifying, adding or removing firewall rules
    • modifying, adding or removing security groups
    • changing or adding a port a service, proxy or load balancer listens on
• Documentation on any unchecked boxes is provided in comments below

[hannes-ucsc]

@achave11-ucsc please note the Notes section.

[achave11-ucsc]

Pro forma approval.