feat: NDI OIDC for Singpass and Corppass OIDC for Corppass authentication #473
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
justynoh
changed the title
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
(See also #210)
Currently, Mockpass does not support NDI OIDC for Singpass and Corppass OIDC for Corppass authentication according to the latest API documentation. This PR implements this.
Solution
This PR includes the following:
/singpass/v2and/corppass/v2namespaces respectively. Since these occupy the/singpassand/corppassnamespaces too, I also moved both files into a project folder/oidcto reflect their purpose. The differences between the "implicit v1" and the v2 endpoints are as follows:authorizeandauthorize/custom-profileendpoints. All the helper functions for both v1 and v2 were shared, so I moved them into autils.jsfile.tokenendpoint, the RP is expected to expose a well-known endpoint for the RP enc and sig JWKS. This endpoint must be made known to NDI ahead of time. (These are included as environment variables as described below.)/.well-known/openid-configurationand/.well-known/keys, which are the OIDC discovery endpoint and ASP JWKS endpoint respectively.static/certs/folder.oidc-v2-asp-public.json: The ASP public signing key (exposed under/.well-known/keys).oidc-v2-asp-secret.json: The ASP private signing key (used to sign the id token).oidc-v2-rp-public.jsonandoidc-v2-rp-secret.json: Default RP signing and encryption keys. See below for more details.More details about
oidc-v2-rp-*.json:Signing keys are used to sign the client assertion, and encryption keys are used to encrypt the id token). The entire protocol will still work if RPs do not use these keysets (which is correct behavior). Users may now either
{S|C}P_RP_JWKS_ENDPOINTenvironment variable, and useoidc-v2-rp-secret.jsonto sign their client assertion, the/tokenendpoint will default to verifying the client assertion withoidc-v2-rp-public.json, OR{S|C}P_RP_JWKS_ENDPOINTenvironment variable, and use their own keys to sign the client assertion, the/tokenendpoint will fetch their JWKS from the endpoint specified in the environment variable for use in verification.Tests
FormSG's current RP implementation integrates correctly with Singpass and Corppass in both staging and prod. This branch has been tested with FormSG's implementation and works correctly in dev as well.
Deploy Notes
New environment variables:
SP_RP_JWKS_ENDPOINT: The RP's well-known JWKS endpoint for Singpass signing and encryption keys.CP_RP_JWKS_ENDPOINT: The RP's well-known JWKS endpoint for Corppass signing and encryption keys.New keys: (see above for more details)
oidc-v2-asp-public.json: The ASP public signing key.oidc-v2-asp-secret.json: The ASP private signing key.oidc-v2-rp-public.jsonandoidc-v2-rp-secret.json: Default RP signing and encryption keys.