Skip to content

jimfuqian/BB2-3471-swagger-ui-auth-w-pkce-set-verifier-4-token-exchange #1263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JFU-NAVA-PBC merged 2 commits into from
Nov 14, 2024
Merged

jimfuqian/BB2-3471-swagger-ui-auth-w-pkce-set-verifier-4-token-exchange #1263

JFU-NAVA-PBC merged 2 commits into from
Nov 14, 2024

Conversation

@JFU-NAVA-PBC
Copy link
Contributor

@JFU-NAVA-PBC JFU-NAVA-PBC commented Nov 8, 2024
edited
Loading

JIRA Ticket:
BB2-3471

What Does This PR Do?

A follow up PR fixing the PKCE verifier code handling in customized swagger UI code.

What Should Reviewers Watch For?

If you're reviewing this PR, please check for these things in particular:

Validation

Refer to "Validation" of PR 1260

Preferred validation - by splunk BB2 auth flow dashboard (TEST ENV): https://splunk.cloud.cms.gov/en-US/app/cms_bbapi_landing_app/bb2_authorization_flow_dashboard?form.bbEnvLabel=impl&form.bbEnv=*&form.t_local.earliest=-60m%40m&form.t_local.latest=now

PR deployed to TEST ENV.

Steps:

  1. Register app on TEST, e.g. myApp
  2. Point browser to swagger UI at TEST: https://test.bluebutton.cms.gov/docs/openapi
  3. Follow the instruction at swagger UI page
  4. Click "Authorize" button to bring up the OAUTH dialogue, type in the myApp credentials (client_id/client_secret)
  5. Check all scopes, click the "Authorize" button of the OAUTH dialogue
  6. Follow the medicare login flow e.g. login as BBUser00000, grant data access....
  7. Assume the authorize flow completes successfully
  8. Pick any of the OAUTH protected end points, e.g. userinfo, and try it out, should see userinfo response.
  9. Then click "Logout", and then repeat the auth flow step 4 - 8 multiple times - e.g. 4 times
  10. Login into splunk and open up "BB2 Authorization Flow Dashboard", select ENV=test, filter app name selector, and pick only your app - e.g. myApp, query the auth flows in past 60 min, then should be able to see something like below PKCE stats:
    the screen shot shows 4 auth flow w PKCE (S256 method):

image

What Security Implications Does This PR Have?

Please indicate if this PR does any of the following:

  • Adds any new software dependencies
  • Modifies any security controls
  • Adds new transmission or storage of data
  • Any other changes that could possibly affect security?
  • Yes, one or more of the above security implications apply. This PR must not be merged without the ISSO or team
    security engineer's approval.

Any Migrations?

  • Yes, there are migrations
    • The migrations should be run PRIOR to the code being deployed
    • The migrations should be run AFTER the code is deployed
    • There is a more complicated migration plan (downtime,
      etc)
  • No migrations

@JFU-NAVA-PBC
Merge remote-tracking branch 'origin/master' into jimfuqian/BB2-3471-…
fb94b56 
…swagger-ui-auth-w-pkce-set-verifier-4-token-exchange
@JFU-NAVA-PBC JFU-NAVA-PBC merged commit 041334c into master Nov 14, 2024
6 checks passed
@JFU-NAVA-PBC JFU-NAVA-PBC deleted the jimfuqian/BB2-3471-swagger-ui-auth-w-pkce-set-verifier-4-token-exchange branch November 14, 2024 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stiwarisemanticbits stiwarisemanticbits stiwarisemanticbits approved these changes

Assignees

@stiwarisemanticbits stiwarisemanticbits

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JFU-NAVA-PBC @stiwarisemanticbits