CalmHub: Introduce OAuth2 and HTTPs Profile

[jpgough-ms]

Feature Request

Description of Problem:

CalmHub is purely in demo mode at the moment, and to deploy in an organisation will need to offer basic security. We need to ensure that we keep the product easy to develop with locally, so this will be a profile that can turn on or off.

The idea will be to restrict the OAuth2 Client to be just used by the CLI.

Potential Solutions:

• We need an OAuth2 design to cover the use of Calm Hub, capturing the idea that we have the right number of scopes and a differentiation between write and read access. @Budlee is experienced here and can help add the design to this issue.
• Code modification to include support by any IDP
• Documentation of how to configure and setup CalmHub to use OAuth2 in a corporate deployment

[Budlee]

This sounds something I can help with. Sounds like various avenues to explore. I will jump on the next office call to discuss these further.

[challamani]

@jpgough-ms @Budlee I have a working example that I explored in our last Hackday using keycloak, I'll demo it in our office hrs on Monday.

• Authorization Code Flow with PKCE for CalmHub UI Access (using oidc-client dependency in React App)
• Client Credentials Flow for service-to-service communication.

For granular authorization checks at CalmHub:

1. we have to define the roles & scopes based on CalmHub clients.

2. Client Credential flow (for service-to-service communication): we may have to maintain one-to-many mapping, a single scope & corresponding endpoints mapping.
   example: write:patterns -> [POST] /pattern, write:patterns -> [PUT] /pattern, read:patterns -> [GET] /patterns

3. Authorization Code Flow with PKCE (for user access):
   We may have to maintain the "roles/scopes to endpoints mapping (one-to-many mapping: a single role/scope and associated list of endpoints that a user role/scope is allowed to access)".