-
Epic
-
Resolution: Unresolved
-
Normal
-
None
We now have a few users wanting to access DW through their own CLIs, and it's time to replace DRF tokens with a proper authentication setup.
| *Customer Base and Context* | Token | SAML | OIDC |
| ------------------------------- | :-------: | :----: | :----: |
| Humans with a web browser | :x: | :white_check_mark: | :white_check_mark: |
| Humans with a CLI | :white_check_mark: | :x: | :white_check_mark: |
| Automation processes | :white_check_mark: | :x: | :white_check_mark: |
Currently, SSO uses SAML. After the authentication dance, the user gets a Django session token and can carry on. For API access, static access tokens are used.
For practicability and compliance with IT policies, the two authentication approaches should be unified via OIDC.
This should be done step-wise:
1. Add OIDC next to SAML as an auth provider to DW (datawarehouse#398)
2. Enable OIDC integration via the IT IdP, and switch over from SAML (infrastructure#333)
3. Shut down the SAML integration, but keep the support in place (infrastructure#334)
4. Support OIDC for API access (datawarehouse-api-lib#3)
See the individual issues for more details.
Notes:
- Django session expire after 2 weeks by default. [src]
Jira: CKI-7202
