Epic: modern auth with Keycloak and Auth0 OIDC

[jcschaff]

Motivation

• choose a third party solution for authentication and some authorization which provides support for OpenID Connect (OIDC). Moving over to such a OIDC provider gives us an opportunity to

  • externalize and modernize user account management (e.g. passwordless access, 2FA, change passwords, verify passwords).
  • decouple vcell user credentials from vcell application and vcell database.

• solutions

  • Keycloak is an open source solution which can be self-hosted. This is the obvious first choice during development but will have some security burden if made to be the permanent production solution.
  • Auth0.com is a commercial offering with several plans, but upcharges for multiple social media logins.

Completion Criteria

• all VCell services and APIs use single Keycloak instance for Authentication and encode some basic Role Based Access Control (e.g. admin, power user).

Tasks - Phase I

• [x] #155
• [x] integrate Auth flows using Keycloak for API and web apps.
• [x] integrate Auth flow using Keycloak for Java client and admin CLI.
• [x] install secure production Auth0 instance.
• [x] #1092
• [x] create flow for new Auth0/VCell users (email, userid)
• [x] deploy Auth0 to production (development tenant and Google Dev Keys)

Tasks - Phase II

• [ ] create production Auth0 tenant
• [ ] register VCell as a Google App and get proper clientid (per Auth0.com instructions)
• [ ] migrate VCell users from development tenant to production tenant
• [ ] update configuration to use production clientid.

[jcschaff]

done with Phase I - production VCell uses development Auth0 tenant for authentication.

Phase II (moving to a production Auth0.com tenant) is needed soon @AvocadoMoon @moraru