[FEATURE] Integrate new authentication system

[mihail-varbanov]

Re: University Monday 2020/11/09 - 2020/11/10

5 Misho, please take a look at https://github.com/rokmetro/auth-service. I believe you have access to the ROKMETRO GitHub org, but let me know if not. JP wants us to integrate this into Safer so we can use a common "middle man" for Login/Authentication systems. In addition bring the Rokwire and Rokmetro sources closer together. Petyo should also look as To get the whole system working there obviously need to be changes in all of the apps and services as well. Let me know your thoughts.

University Thursday 2020/11/12

2 Petyo/Misho - More on Safer and Stephen's Auth

No documentation yet. Here is what Sephen had written before as a summary:

"Essentially, we have rearchitected the authentication systems in the building blocks into a centralized auth service to provide a more consistent, maintainable and configurable approach to authentication. Our main goal was to be able to quickly and easily integrate with any authentication system we come across without having to modify every service individually. We also wanted to standardize and control permission groups within the ecosystem rather than delegating this to identity providers directly. The flow we have implemented is as follows:

1. Client performs login with identity provider (eg. Shibboleth, phone authentication with Twillio or Firebase, other OIDC providers... etc) and retrieves ID token (JWT)
2. Client forwards ID token to central auth service
3. Auth service validates token, extracts identity claims (uuid, name, email, phone... etc) and queries permissions database to retrieve standardized permission groups for this user based on their uuid and token issuer
4. Auth service generates a temporary access token (JWT) with the identity claims and permission groups signed with the auth service RSA private key and returns it to client
5. Client sends temporary access token in Authorization header for all requests to user authenticated endpoints for all building blocks
6. Building blocks validate temporary auth token using auth service RSA public key and retrieve standardized permission groups from the claims to check for admin access...etc
7. When temporary access token expires, client queries auth service again with the identify provider ID token to get new token

We also plan to update the admin app to interface with this new system. We would like to allow users to sign up with an email and password using a phone number for two-factor authentication (we have replaced Twillio with Firebase for phone authentication so we are implementing this with Firebase) to allow non-university admins to get access. Since the permission groups for users are now stored in our own database, we would also like to provide certain admins with the ability to set user permissions using an interface within the admin app."

He will also be pointing out some key points and providing access to his Dev environment. You should also grab his Safer Community app and try it.

We will want to use a static ClientId so that eventually our app config has API base urls that end with it. Basically our source will be multi tenant but a single tenant model. This also means all BB will need to use the client ID in their documents etc

Stephen from Slack

Hi everyone, here is some of the information that you will need to try out our APIs and view our databases. Let me know if you have trouble accessing anything that you need. Our latest updates should be on the develop branch for all of our services. If you have specific questions, or need help finding anything feel free to reach out. Thanks for all your help!

MongoDB

• Connection string: mongo "mongodb+srv://cluster0.rmcsk.mongodb.net/" --username

• Databases:

• dev_adminconfigs

• dev_appconfigs

• dev_auth

• dev_dining

• dev_events

• dev_health

• dev_keys

• dev_polls

• dev_profiles

• dev_talent

Services

• Sample clientID: ...

• Sample API Key: ....

• Auth identity token (see Token Authentication procedure):
  ...

• Current Permission Groups: admin_app

• Token Authentication

• Description: In order to access Rokwire APIs, you will need to use an identity token provided by ROKMETRO to get a temporary API access token

• Procedure:

  1. GET /swap-token with identity token prefixed by "Bearer " to to get temporary API access token
  2. Query all Rokwire APIs with access token in Authorization header prefixed by "Bearer "
  3. Access token expires after 1 hour (services will return 401)
  4. Repeat steps 1-4

• APIs

  • Host:
    • https://auth.api.prod.services.rokmetro.com/{clientID}
  • /swap-token
    • GET
      • Description: Swap identity token for temporary access token
      • Headers:
        • ROKWIRE-API-KEY: API key (required). See Procedure above
        • Authorization: identity token (required). See Procedure above
      • Parameters:
        • clientID: string (path)
      • Response:
        • Status Codes:
          • 200:
            • Body: access token (string)
          • Others - Check body for error message

• Service Base URLs: https://{application}.api.{env}.services.rokmetro.com/{clientID}

• Envs:

  • dev
  • prod

• Applications:

  • auth
  • health
  • dining
  • talent-chooser
  • appconfig
  • poll
  • logging
  • events
  • profiles
  • sports
  • admin

For an example of how to use the auth service in a client, check https://github.com/rokmetro/safer-app/blob/e3292c9453d23963c0aaebcf80285921d144e627/lib/service/Auth.dart#L361