Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spike/Architecture Discussion: Find possible way to test/troubleshoot FAM-BCSC integration without affecting FAM downstream apps #1590

Open
1 task
ianliuwk1019 opened this issue Sep 17, 2024 · 0 comments
Open
1 task

Spike/Architecture Discussion: Find possible way to test/troubleshoot FAM-BCSC integration without affecting FAM downstream apps #1590

ianliuwk1019 opened this issue Sep 17, 2024 · 0 comments
Labels
⚙️ Operational Strategy

Comments

@ianliuwk1019
Copy link
Collaborator

Describe the task
FAM AWS "production" supports downstream apps for DEV/TEST/PROD.

For BCSC login, apps with DEV/TEST use BCSC's TEST environment; only apps with PROD use BCSC's PROD environment.
However, BCSC returns JWE (encrypted)token (not the JWT token) and this encryption/decryption requires AWS KMS public key for BCSC to do token encryption.

On BCSC side, for their DEV/TEST/PROD integration with FAM, they are all configured to work from FAM "proudction" AWS KMS (KMS expose jwks endpoint: /jwks.json) to get the public key.

This has disadvantage for FAM to test BCSC integration because we can't test changed code for BCSC integration
without deploying to FAM production. Moreover, due to the timeout limit issue from Cognito we found in the past
that caused BCSC user login to fail (incomplete), the solution was to hardcoded AWS JWKS endpoint (/jwks.json)
production value at BCSC side (DEV/TEST/PROD) in order to have BCSC login process within time limit.

In the recent past there was time due to the backend library not in support anymore and that forced us to replace
the library for FAM BCSC integration code. Also there can be times that we need to update some other library, for
example - "cryptography"/"authlib"/"pyjwt". Above upgrade might need FAM BCSC integration code to be tested before
moving to production. In the past, we (FAM team) had to contact BCSC team to switch their hardcoded /jwks.json value
for their DEV environment to use our FAM AWS DEV JWKS endpoint value so FAM team can test BCSC integration code.
This change impacts downstream apps in DEV environment for BCSC login to be broken. Also each time when BCSC integration code changes happens if we need to switch back and forth on BCSC side, then it becomes unsustainable (this was commented by BCSC team Ryan).

We may want to discuss possible ways to be able to do BCSC integration code testing without affecting downstream apps and not requiring to ask BCSC team to switch configuration.

Acceptance Criteria

  • first

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
⚙️ Operational Strategy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ianliuwk1019