Categorygithub.com/ONSdigital/dis-authentication-stub
modulepackage
0.0.0-20250108150423-ce2f70ad5ef6
Repository: https://github.com/onsdigital/dis-authentication-stub.git
Documentation: pkg.go.dev

# README

dis-authentication-stub

This project provides an authentication service stub for testing login and authentication processes without relying on dp-identity-api, Florence, or Cognito. The dis-authentication-stub simulates essential login, token renewal, and proxy functionality, allowing local testing for services such as dp-dataset-api when running in "private endpoints enabled" mode.

Getting started

To run the service locally:

Additional Commands:

  • Run make help to see full list of make targets

Dependencies

  • No further dependencies other than those defined in go.mod

Endpoints and Functionalities

This stub provides the following endpoints to facilitate testing of authentication workflows:

  1. Health Check

    • GET /health: Returns 200 OK to confirm the service is running.
  2. Login Simulation

    • GET /florence/login: Displays a form with a list of configured users. Accepts an optional redirect query parameter (default is /florence/collections).

    • POST /florence/login: Processes the form submission, setting the following cookies:

      • access_token: Signed JWT for the selected user.
      • id_token: Signed JWT for the selected user.
      • refresh_token: Random opaque token stored in memory.
  3. Logout Simulation

    • GET /florence/logout: Invalidates auth cookies and redirects to /florence/login. Accepts an optional redirect query parameter.
  4. Token Management

    • DELETE /tokens/self: Logs out the user by removing session entries and expiring the id_token, access_token, and refresh_token cookies.

    • PUT /tokens/self: Reads the refresh_token cookie to renew the access and ID tokens if valid. Returns 400 if missing or 403 if expired.

  5. JWT Key Retrieval

    • GET /jwt-keys: Returns a JSON map of public JWT signing keys, matching the format of dp-identity-api.
  6. API Reverse Proxy

    • /api/: Proxies requests to APIs and sets the Authorization header with the access_token cookie value.
  7. Service Identity Validation

    • GET /identity: Verifies the service token in the Authorization header. Returns the app ID if valid, or 403 Forbidden otherwise.

Configuration

Environment variableDefaultDescription
API_VERSIONS"", "v1"To provision for versioned API endpoints
BIND_ADDR:29500The host and port to bind to
GRACEFUL_SHUTDOWN_TIMEOUT5sThe graceful shutdown timeout in seconds (time.Duration format)
HEALTHCHECK_INTERVAL30sTime between self-healthchecks (time.Duration format)
HEALTHCHECK_CRITICAL_TIMEOUT90sTime to wait until an unhealthy dependent propagates its state to make this app unhealthy (time.Duration format)
OTEL_EXPORTER_OTLP_ENDPOINTlocalhost:4317Endpoint for OpenTelemetry service
OTEL_SERVICE_NAMEdis-authentication-stubLabel of service for OpenTelemetry service
OTEL_BATCH_TIMEOUT5sTimeout for OpenTelemetry
OTEL_ENABLEDfalseFeature flag to enable OpenTelemetry
WAGTAIL_URLhttp://localhost:8000/wagtailWagtail CMS URL

Contributing

See CONTRIBUTING for details.

License

Copyright © 2024, Office for National Statistics (https://www.ons.gov.uk)

Released under MIT license, see LICENSE for details.

# Packages

No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# Variables

BuildTime represents the time in which the service was built.
GitCommit represents the commit (SHA-1) hash of the service that is running.
Version represents the version of the service that is running.