prime-reportstream icon indicating copy to clipboard operation
prime-reportstream copied to clipboard
verified publisher icon CDCgov

Authorization strategy and implementation for submissions endpoint

Open jalbinson opened this issue 1 year ago • 3 comments

User Story

As a sender onboarded to ReportStream, I want to be authorized to hit the submissions endpoint

Description/Use Case

We want to only allow authorized senders to hit the submissions endpoint.

Risks/Impacts/Considerations

A nefarious user could submit false reports which could skew public health data.

Dev Notes

  • Look into custom claims block in Okta to see if its easily possible to inject the org name for easy comparison during authorization check
  • Reports in send step may contain thousands of items so a single event wont be able to hold all the condition data. One option is to create a "ItemSentEvent" for each ITEM in the report.

Acceptance Criteria

  • Decide under which Okta authorization server clients orgs should live
  • Scopes and extra claims clearly defined for organizational users
  • ~Authz strategy implemented for submission endpoint (probably @PreAuthorize annotation)~
    • #16183 handles this now
  • Come up with approach for authorization in Azure Functions app that does not depend on Spring
  • unit tests

jalbinson avatar Sep 06 '24 13:09 jalbinson

Hey team! Please add your planning poker estimate with Zenhub @adegolier @arnejduranovic @brick-green @david-navapbc @jack-h-wang @jalbinson @JFisk42 @mkalish @thetaurean

Andrey-Glazkv avatar Sep 09 '24 16:09 Andrey-Glazkv

Linking some of the prior research here:

The general understanding of the research was that verification by Okta to securely log into and use the RS platform =/= "you are who you say you are". That is, you could be verified by Okta but still be a shady organization that we know nothing about. To really know whether an organization is or isn't nefarious, we'd need a level of Identity Proofing which we don't have yet.

So it's important to point out that this ticket would NOT mitigate or reduce the only stated risk.

dylansmith-Nava avatar Sep 09 '24 16:09 dylansmith-Nava

Decisions made in this ticket are documented in the UP SRD under "Authorization Service Software Requirements"

jalbinson avatar Oct 09 '24 20:10 jalbinson

The SRD this ticket updated will be implemented here: https://github.com/CDCgov/prime-reportstream/issues/14601

arnejduranovic avatar Oct 18 '24 19:10 arnejduranovic