provide an initial implementation
Provides a MVP implementation of a login and consent webapp. The emphasis here is on the "M". In particular we hard-code the list of supported scopes pending some API Gateway-side work (#3 (closed)).
The actual functionality of the app is in login/views.py and login/gateway.py. The remainder of the app is various bits of Django ceremony to wire those things together.
I've tried to minimise the required settings. In particular we make use of the OpenID discovery endpoint to configure a lot of the OAuth2-related settings.
A required setting includes the expected audience for the session id JWT from the Gateway. It is tempting to form this dynamically from the incoming request but that puts something which is used for token verification under the control of the incoming request's headers which risks confused-deputy style attacks[1].
Despite being functional and deployable as is, this app needs some further work.
We implement the webapp using the traditional Project Light templates for speed of implementation. The UI needs a designer's eye (#4 (closed)).
If the requested scopes include "profile" then we fetch very basic user claims from Lookup. This is essentially just the display name at the moment. We can add given names, surnames, profile pictures, etc at a later date (#1 (closed)).
Most importantly, I think this app is an opportunity to require 2SV from the get-go for applications using the API Gateway. This is implemented in the MVP by means of a small API published by the Gateway but I've opened (#2 (closed)) to track improving the user docs this since it's not part of the MVP.
Part of https://gitlab.developers.cam.ac.uk/uis/devops/api/gateway-ops/-/issues/66