verify incoming id token for API backends

Review changes
Download
Patches
Plain diff

Merged verify incoming id token for API backends

issue-4-validate-gateway-token into main

Overview 22
Commits 7
Pipelines 4
Changes 8

Merged Dr Rich Wareham requested to merge issue-4-validate-gateway-token into main 1 year ago

Overview 22
Commits 7
Pipelines 4
Changes 8

Warning This MR depends on !4 (merged) having been merged first so that the DRF IsAuthenticated permission functions as expected.

Add verification for the Authorization header for incoming requests. The defaults are to verify that the request is appropriately authenticated with a Google service account corresponding to the API Gateway. Expected issuer, authorised parties, issuer certificate URLs, etc can be customised via settings. This is unlikely to be used in production but is useful when combined with the API Gateway emulator for local development.

Verification is only enabled if opt-ed in to via a dedicated setting so this is change does not break backwards compatibility.

Tests have been updated to exercise verification assuming that the Google verification library works as documented.

NO CHANGES SHOULD BE NEEDED FOR APPLICATIONS CURRENTLY DEPLOYED

However, local developement will need some configuration changes. An example of changes needed to docker-compose.yml and .../settings/base.py for projects making use of the API Gateway emulator can be found in https://gitlab.developers.cam.ac.uk/uis/devops/iam/identity/identity-system/-/commit/8a5fac7655b4fcfc1e76d6fdd3524523f516bdf6#35b8c13cf2eb2a194eada000eb310d65aed53b2a.

Closes #4 (closed)

Edited 1 year ago by Dr Rich Wareham