onestop
onestop copied to clipboard
cedardevs
Use the JWT in Gateway API
Summary
| As a | developer |
| I want to be able to | complete an unfinished task associated with logins |
| So that I can | have user profile and role available to the Gateway API |
The idea here is that OneStop Gateway will handle all communication with external identity providers (IdP), which is login.gov in this case.
When a request comes into Gateway, it will proxy to other OneStop services that provide web APIs, such as the user/saved search API, and the search API.
When it proxies to a protected endpoint, it will take steps to authenticate the user with login.gov (Oauth2 + OIDC) -- that much is done. But then, before proxying the request, it will hit the User API to get ROLES for that user (hence why this is blocked by #1294 ). Gateway may need a functional user account that has access to a /user/roles/{id} endpoint. Once the ROLES are received, Gateway will build a JWT with those ROLES as claims. It will finally pass that JWT in the Authorization header.
The apps that receive this JWT will need to have access to a public key (JWK) to verify that Gateway signed it. Gateway should provide an endpoint for this, like login.gov's /api/openid_connect/certs.
Currently the problem is that the Gateway app passes an access_token to the User API, which then hits login.gov to get user_info. This is no bueno. It does it every time the user makes a request to the API.
Tasks
- [ ] complete 1294 so we have a /roles endpoint
- [ ] finish in progress work to pass the JWT in the proxied request to the User API
Write up with logs on why we need this JWT-
https://docs.google.com/document/d/1YRpvQxfOD2I3R5_pK4QgOG79Lx8quAnUiO5TEhbkRXM/edit?usp=sharing
