JIRA Ticket:
BB2-3471

What Does This PR Do?

Swagger UI: Enable PKCE for OAUTH

What Should Reviewers Watch For?

Verify the PKCE is on for the authorization

If you're reviewing this PR, please check for these things in particular:

Validation

1. Spin off a local BB2 following readme
2. Create a user and add an app, e.g. myApp
3. Using the credential of myApp for Swagger UI authorization (following on swagger UI page instructions)
4. Observe the local BB2 server log and check log event like below:
5. { web-1 | "access_token_delete_cnt": 0, web-1 | "allow": true, web-1 | "application": { web-1 | "data_access_type": "THIRTEEN_MONTH", web-1 | "id": 2, web-1 | "name": "BB2-3471-TEST-APP" web-1 | }, web-1 | "auth_app_data_access_type": "THIRTEEN_MONTH", web-1 | "auth_app_id": "2", web-1 | "auth_app_name": "BB2-3471-TEST-APP", web-1 | "auth_client_id": "k81TcsKWOxqW5BQ1Sv4l8GIElXSx3ihGiHVuikSB", web-1 | "auth_pkce_method": "S256", web-1 | "auth_require_demographic_scopes": "True", web-1 | "auth_share_demographic_scopes": "True", web-1 | "auth_status": "OK", web-1 | "auth_status_code": null, web-1 | "auth_uuid": "419e67d4-2206-4777-8076-35a5d5736f63", web-1 | "data_access_grant_delete_cnt": 0, web-1 | "refresh_token_delete_cnt": 0, web-1 | "request_uuid": "b74e54ee-962a-11ef-a867-0242ac120003", web-1 | "scopes": "profile patient/Patient.read patient/Coverage.read patient/ExplanationOfBenefit.read", web-1 | "share_demographic_scopes": "True", web-1 | "type": "Authorization", web-1 | "user": { web-1 | "crosswalk": { web-1 | "fhir_id": null, web-1 | "id": null, web-1 | "user_hicn_hash": null, web-1 | "user_id_type": null, web-1 | "user_mbi_hash": null web-1 | }, web-1 | "id": 4, web-1 | "username": "[email protected]" web-1 | } web-1 | }

Check PKCE method and verify the client id (myApp's client id):

"auth_client_id": "k81TcsKWOxqW5BQ1Sv4l8GIElXSx3ihGiHVuikSB",
"auth_pkce_method": "S256",

Or check the database table oauth2_provider_grant:
there should be values in columns: code_challenge, code_challenge_method as show in below screen shot:

Other alternative verifications:

Deploy to TEST, and hit your app on TEST with swagger UI authorization, and then observe the splunk Auth Flow Dashboard, check the "Events by PKCE method (MOBILE vs. WEB).", drill down to events and verify the auth of your app has PKCE turned on.

What Security Implications Does This PR Have?

Please indicate if this PR does any of the following:

• Adds any new software dependencies
• Modifies any security controls
• Adds new transmission or storage of data
• Any other changes that could possibly affect security?

• Yes, one or more of the above security implications apply. This PR must not be merged without the ISSO or team
  security engineer's approval.

Any Migrations?

• Yes, there are migrations
  • The migrations should be run PRIOR to the code being deployed
  • The migrations should be run AFTER the code is deployed
  • There is a more complicated migration plan (downtime,
    etc)
• No migrations