You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change adds Okta authentication as an option for user login.
There is a test user set up in the okta organisation, credentials for that will be available in confluence to facilitate testing of this change, however this will need actioning in whatever new development and test organisations that will be set up. Details around the accounts and organisation setup for the deployment to environments are still to be determined.
NHS Mail should continue to work but as yet only been able to test with the dummy oidc locally.
Significant change in this PR would be to the shape of the configuration elements around auth. As there are now multiple auth providers that need their own validation parameters and urls settting up I have altered the configuration structure to facilitate this.
Obviously that will be a breaking change if the configuration for the environments isn't amended before releasing this change set. The intention would be to add this new configuration shape to the environments in addition to the existing configuration before this is released, and then the old configuration shape can be removed once this release has stabilised.
I think if everyone is going to run this as it stands we will run into rate limit issues pulling the jwks especially if people iterate a lot by restarting the api.
I will add some tests that simulate the failure I'm expecting and see what we can do to mitigate the failure to allow the local oidc to keep working in the event of us breaching the rate limits set by okta.
I guess an easy enough work around will be to pull the okta config or have developers get their own okta trial account for local dev in lieu of a more "real" NHS okta org.
Okta now configured with staging environment and tested locally. Getting onto the pipeline and variable work.
The reason will be displayed to describe this comment to others. Learn more.
Additional work is needed to the deployment pipeline to make sure that configuration for the deployed application is correct. As it stands this will not work if deployed as the env vars will not be setup correctly.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds Okta authentication as an option for user login.
There is a test user set up in the okta organisation, credentials for that will be available in confluence to facilitate testing of this change,
however this will need actioning in whatever new development and test organisations that will be set up. Details around the accounts and organisation setup for the deployment to environments are still to be determined.NHS Mail should continue to work but as yet only been able to test with the dummy oidc locally.
Significant change in this PR would be to the shape of the configuration elements around auth. As there are now multiple auth providers that need their own validation parameters and urls settting up I have altered the configuration structure to facilitate this.
Obviously that will be a breaking change if the configuration for the environments isn't amended before releasing this change set. The intention would be to add this new configuration shape to the environments in addition to the existing configuration before this is released, and then the old configuration shape can be removed once this release has stabilised.