Authentication and Authorization

Overview

The DCP UI is secured with Quantum-K (keycloak). QK is a forked version of Keycloak, so this doc will refer to it as Keycloak.

DCP UI is a next.js and Node.js React application written in the Next.JS framework. the UI uses the next-auth.js library to handle the SSO flow with Keycloak.

As a OpenId application, Keycloak clients must be configured for each callback url. So Keycloak will have a dev version, stage and production.

User flow

  • user visits DCP UI and must login to use any features.
  • user clicks login in top nav, is redirected to Keycloak UI.
  • user logs into Keycloak, upon success, is redirected back to DCP UI and a JSON Web Token (JWT) and ID token is returned. A session is created with these tokens.
  • the Auth JWT contains a series of claims that correspond to Entitlements. We will use DCP Admin and SRE entitlements to drive admin groups in DCP.
  • When using DCP, all features are read-only unless you are a member of a team that owns a service. When you are in this team, you may create a manual deployment and approve human workflows.
    • To determine if you are in the service's team, we look up the GUS team ID that is linked to your service, get the team memmbership and check that your email address (from the JWT) is in the membership list.
  • Note that the JWT has an expiration date. The DCP-UI knows how to renew this token when it expires.

Securing Authorization calls

  • the "is user in team" call must be secured from tampering by browser tools. So we include the JWT in the header of each call to the DAS (DCP API).
  • The DAS will unpack this JWT, validate that it has not been tampered with, and use the user's email to check that the user is in the team.
  • If not in the team, a 401 response is returned

DAS API Security

Note: DAS means: Data Access Service. The API is secured differently from the UI. The API authenticates 'clients', not users. Each client must authenticate with a client certificate.

DAS Client flow

  • Client calls the DAS and includes the client certificate in the header

  • API checks that the certificate is trusted and gets the client ID from the certificate.

  • API stores a list of routes and methods that are valid for each client ID. API checks that the client ID is authorized to complete each call by comparing current HTTP verb (method) and route to the list.

  • If not successful, a 401 response is returned.

  • Example code

      These values are base-64 encoded.
  req.headers.set('X-Client-Cert', client_cert)
  req.headers.set('UserAuthToken', token)

To replay these requests, you can get the cert and user auth token values from the browser's network trace.

Version: 0.3.110
Last Updated: 2024-07-01T19:32:00+0000