Utilize QnABot idtoken and optionally pass to Kendra based authentication

[JasonHammett]

The purpose of this change is to allow QnABot to be configured to pass an OpenID JWT to Kendra Index(es). It is controlled by the new configuration setting "ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH" which defaults to "false". If "ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH" is set to "true" and "_userInfo.isVerfiedIdentity" is "true", then QnABot will pass the idtoken with the each Kendra Index query configured for fallback (i.e. ALT_SEARCH_KENDRA_INDEXES).

The primary changes have been made to the es-proxy-layer within the kendra.js file.
Supporting changes have been made to add a new Setting ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH with documentation.

The Settings that are in play:

• ENFORCE_VERIFIED_IDENTITY = false (false allows for unauthenticated user as well as authenticated.)
• IDENTITY_PROVIDER_JWKS_URLS = (set to appropriate cognito user pool and used to verify the user token is valid. If user is logged in and valid token, then UserInfo.isVerifiedIdentity=true)
• ALT_SEARCH_KENDRA_INDEXES = (set to one Kendra Index)
• ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH = false / true (false is default. true allows QnABot to send idtoken to Kendra)

Some notes about the 8 Use Cases:

• CASE 1 through 4: User is NOT authenticted within Lex-Web-UI.
• CASE 5 through 8: User is authenticated within Lex-Web-UI.
• CASES 1,2 and 5,6 have Kendra Auth Enabled. Cases 3,4 and 7,8 have Kendra Auth Disabled.

The following 8 Use Cases have been explored:

CASE 1: Kendra Index has Auth Enabled. isVerifiedIdentity === "false". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === false.

• User is NOT authenticated. Has no token to send to Kendra.
• QnABot is NOT configured to send a token and user has NO token to send. NO token is sent.
• Kendra Index has auth enabled, but does not require a token to be sent.
• User will only get public content (not protected by ACLs).

CASE 2: Kendra Index has Auth Enabled. isVerifiedIdentity === "false". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === true.

• User is NOT authenticated. Has no token to send to Kendra.
• QnABot is configured to send a token but user has NO token to send. NO token is sent.
• Kendra Index has auth enabled, but does not require a token to be sent.
• User will only get public content (not protected by ACLs).

CASE 3: Kendra Index has Auth Disabled. isVerifiedIdentity === "false". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === false.

• User is NOT authenticated. Has no token to send to Kendra.
• QnABot is NOT configured to send a token and user has NO token to send. NO token is sent.
• Kendra Index has auth disabled. Any Kendra Source ACLs are ignored.
• User will get ALL content from the index since source ACLs are ignored.

CASE 4: Kendra Index has Auth Disabled. isVerifiedIdentity === "false". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === true.

• User is NOT authenticated. Has no token to send to Kendra.
• QnABot is configured to send a token but user has NO token to send. NO token is sent.
• Kendra Index has auth disabled. Any Kendra Source ACLs are ignored.
• User will get ALL content from the index since source ACLs are ignored.

CASE 5: Kendra Index has Auth Enabled. isVerifiedIdentity === true. ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === false.

• User is authenticated. User has a token to send to Kendra.
• QnABot is NOT configured to send a token even though user has a token to send. NO token is sent.
• Kendra Index has auth enabled, but does not require a token to be sent.
• User will only get public content (not protected by ACLs).

* CASE 6: [EXPECTED PATH] Kendra Index has Auth Enabled. isVerifiedIdentity === "true". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === true.

• User is authenticated. User has a token to send to Kendra.
• QnABot is configured to send a token and user has a token to send. An idtoken is sent to Kendra Index query.
• Kendra Index has auth enabled, but does not require a token to be sent.
• User will only get public and private content based on their entitlements as protected by ACLs.

CASE 7: Kendra Index has Auth Disabled. isVerifiedIdentity === true. ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === false.

• User is authenticated. User has a token to send to Kendra.
• QnABot is NOT configured to send a token even though user has a token to send. NO token is sent.
• Kendra Index has auth disabled. Any Kendra Source ACLs are ignored.
• User will get ALL content from the index since source ACLs are ignored.

CASE 8: Kendra Index has Auth Disabled. isVerifiedIdentity === "true". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === true.

• User is authenticated. User has a token to send to Kendra.
• QnABot is configured to send a token and user has a token to send. An idtoken is sent to Kendra Index query.
• Kendra Index has auth disabled. Any Kendra Source ACLs are ignored.
• User will get no response as Kendra exception is thrown.

[rstrahan]

@JasonHammett Thank you so much for this PR (sorry it took me so long to spot it - @chrislott tx for the nudge!). This is great functionality to add to QnABot, and will open up lots of additional use cases! Nice job clearly enumerating all the scenarios and updating the READMEs as well.
Hopefully we can get this into a release soon.. will discuss with the team.
Thank you.. awesome contribution!

[michaelin-96]

Hi @JasonHammett, this will be available in QnABot v6.0.0 release. Thanks for your contribution, closing this PR.