verify incoming id token for API backends

Warning This MR depends on !4 (merged) having been merged first so that the DRF IsAuthenticated permission functions as expected.

Add verification for the Authorization header for incoming requests. The defaults are to verify that the request is appropriately authenticated with a Google service account corresponding to the API Gateway. Expected issuer, authorised parties, issuer certificate URLs, etc can be customised via settings. This is unlikely to be used in production but is useful when combined with the API Gateway emulator for local development.

Verification is only enabled if opt-ed in to via a dedicated setting so this is change does not break backwards compatibility.

Tests have been updated to exercise verification assuming that the Google verification library works as documented.

NO CHANGES SHOULD BE NEEDED FOR APPLICATIONS CURRENTLY DEPLOYED

However, local developement will need some configuration changes. An example of changes needed to docker-compose.yml and .../settings/base.py for projects making use of the API Gateway emulator can be found in https://gitlab.developers.cam.ac.uk/uis/devops/iam/identity/identity-system/-/commit/8a5fac7655b4fcfc1e76d6fdd3524523f516bdf6#35b8c13cf2eb2a194eada000eb310d65aed53b2a.

Closes #4 (closed)

assigned to @rjw57

Pinging @ek599 for a first pass look. I think this should be safe to merge as long as we're careful about upgrading individual applications. I wonder if you might nominate an application to "audition" with the changes first?

mentioned in issue #4 (closed)

changed title from Draft: feat: add user when authenticating to Draft: verify incoming id token for API backends

added 3 commits

• e7255d7c - feat: verify API Gateway id token in request
• 67501bac - feat(README): add note on IsAuthenticated permission
• f39fa10c - feat(README): add note on local development

Compare with previous version

marked this merge request as ready

changed the description

requested review from @mk2155

added 4 commits

• f39fa10c...e51399c4 - 3 commits from branch main
• a725a00e - Merge branch 'main' into issue-4-validate-gateway-token

Compare with previous version

added 3 commits

• 5259d6f9 - fix: change ..._VERIFY_TOKEN setting to _ENFORCE_ID_TOKEN_VERIFICATION
• e431de6e - fix: make trusted issuers and expected parties settings lists
• 7febe88e - fix(id_token): change spelling of _API_GATEWAY_SERVICE_ACCOUNTS

Compare with previous version

Thanks for the comments, @mk2155. Could you take a look now? I think I've addressed them.

requested review from @mk2155

approved this merge request

resolved all threads

merged

mentioned in commit 4fa01af1