Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support long-term service token #415

Closed
victorskl opened this issue Feb 22, 2022 · 2 comments
Closed

Support long-term service token #415

victorskl opened this issue Feb 22, 2022 · 2 comments
Labels
wontfix This will not be worked on

Comments

@victorskl
Copy link
Member

Context:

So far, we have:

  • short-lived JWT for PAT (personal access token) through Portal UI -- ditto JWT Authorizer
  • bulit-in IAM which required Signature v4 singed request -- ditto IAM Authorizer

Use Cases:

  • Need longer-live access token or API key, especially service-to-service integration for downstream app automation

Actions:

  • Find a solution

Hint: we could already made use of "refresh token" from Cognito JWT authorizer issuer. Read OAuth Refresh Token. If going this route, then changes might be just needed at Portal UI; which already with Amplify library and, just need way (a view) to exposing it.
@victorskl victorskl added the feature New feature label Feb 22, 2022
@victorskl victorskl added this to the Release 0.9.0 milestone Feb 22, 2022
@victorskl victorskl self-assigned this Mar 4, 2022
victorskl added a commit that referenced this issue Mar 9, 2022
@victorskl
Added examples for Portal APIs using IAM authz
0d85ae1 
* This effectively support without needing setup PORTAL_TOKEN
  environment variable but using AWS CLI credential or IAM role.
* Updated README and a couple of examples for possible backend
  and end user ad-hoc use case code snippet.
* R example is still using Python for v4 signing facility and http
  `requests` package; through `reticulate` R library. This can be
  improved to pure R with `httr` and `cloudyr`.
* Related to #415 #377
@victorskl victorskl mentioned this issue Mar 9, 2022
Merged
@victorskl victorskl removed this from the Release 0.9.0 milestone Mar 16, 2022
@victorskl
Copy link
Member Author

victorskl commented Mar 21, 2022
edited
Loading

This is on-hold for 3 reasons:

  • Using Cognito Refresh Token makes Portal need to track the issued refresh token; in order to facilitate token revocation (i.e. to invalidate already issued tokens). Doable but a bit of overhead. We should implement it when it worths to back the out-of-band use cases need.
  • As an alternative, we have introduced /iam/ mirrored endpoints for those App that deployed within our AWS accounts to be able to consume Portal APIs AWS-natively.
  • Portal CLI or umccr CLI would be another alternate for local interactive use case -- whereas
    • umccr portal login to facilitate Cognito OAuth login flow;
    • then follow by umccr portal token new and umccr portal token details
    • etc.. see relevant Trello card for more discussion

@victorskl victorskl removed their assignment Mar 21, 2022
@victorskl victorskl added the park label Oct 10, 2022
@victorskl victorskl added the triage & trello Triage and migrate into respective Trello project label May 8, 2023
@victorskl victorskl added wontfix This will not be worked on and removed feature New feature park triage & trello Triage and migrate into respective Trello project labels Aug 16, 2023
@victorskl
Copy link
Member Author

So far, /iam solution that comes with #378 work well.
Usage is documented in Portal doc as well.
https://github.com/umccr/data-portal-apis/tree/dev/docs

Peter find that curl is also supporting aws-sigv4 signing.

Some examples as follows.

Login

export AWS_PROFILE=prod
aws sso login

Export tokens

yawsso -p prod -e | yawsso decrypt | source /dev/stdin

Export region

export AWS_REGION=ap-southeast-2

Then, curl like so:

curl -s --request GET \
  "https://api.portal.prod.umccr.org/iam/lims?subject_id=SBJ01651" \
  --aws-sigv4 "aws:amz:${AWS_REGION}:execute-api" \
  --user "${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}" \
  --header "x-amz-security-token: ${AWS_SESSION_TOKEN}" \
  --header 'Accept: application/json' | jq

curl -s \
  "https://api.portal.prod.umccr.org/iam/workflows?end_status=Succeeded&rowsPerPage=2&type_name=bcl_convert" \
  --aws-sigv4 "aws:amz:${AWS_REGION}:execute-api" \
  --user "${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}" \
  --header "x-amz-security-token: ${AWS_SESSION_TOKEN}" \
  --header 'Accept: application/json' | jq

Or, use awscurl like so:

pip install awscurl

awscurl -H "Accept: application/json" --profile prod --region ap-southeast-2 "https://api.portal.prod.umccr.org/iam/workflows?rowsPerPage=2&type_name=bcl_convert&end_status=Succeeded" | jq

Hence, we use this as acceptable solution for now, without needing any specific API key or so.

Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@victorskl