configure AWS resources - API clients

[fyliu]

Dependency

• get deployment checklist from #ops #325 may contain instructions

Overview

As part of our AWS configuration, we need to work with #ops to configure API clients.

Action Items

• follow documentation (if any) to create configs to provision an API client
• meet with #ops to verify the setup (through the PR process)
  • create API clients with client secret
    • PD admin site
    • VRMS
    • website
    • CTJ
  • if needed, create API client without client secret for PD admin site
• link to the configuration from here and from our documentation

After Merge

• check off this issue in epic: configure AWS resources (Cognito user pools, clients, database) #327 and close it if done

Resources/Instructions

• requirements:

  • we need at least one API client configured. We may need to set up client with no secret for PD backend for now for logging in to the backend admin site using cognito, unless we get the authentication working with the client secret by the time this issue is being worked on.

    • Technical Debt (security): Implement client_secret in login #242

  • we would like to use client secret-enabled clients so we can track where the users are logging in from (from which app). Cognito client secrets - API client #174

  • each API client app (such as VRMS, website, CTJ, PD admin site) should have its own API client "config" associated with the user pool

• for quick reference: configs for API clients currently associated with the VRMS testing user pool

  1. client which returns the auth token in the url for manual testing

     • Authentication flows
       • ALLOW_REFRESH_TOKEN_AUTH
       • ALLOW_ADMIN_USER_PASSWORD_AUTH
     • Client secret
       • ******
     • Advanced authentication settings
       • Enable token revocation
       • Enable prevent user existence errors
     • hosted UI
       • callback URLS (for local testing)
         • http://localhost:8000/admin/
       • Identity providers
         • Cognito user pool directory
       • OAuth grant types
         • Implicit grant
       • OpenID Connect scopes
         • openid

  2. client with no secret for PD backend (need to fix later)

     • Authentication flows
       • ALLOW_REFRESH_TOKEN_AUTH
       • ALLOW_USER_SRP_AUTH
     • Advanced authentication settings
       • Enable token revocation
       • Enable prevent user existence errors
     • hosted UI
       • callback URLS (for local testing)
         • http://localhost:8000/accounts/amazon-cognito/login/callback/
         • http://localhost:8000/admin/
       • Identity providers
         • Cognito user pool directory
       • OAuth grant types
         • Authorization code grant
       • OpenID Connect scopes
         • email
         • openid
         • profile

  3. client with secret for client with backend

     • Authentication flows
     • ALLOW_REFRESH_TOKEN_AUTH
     • ALLOW_USER_SRP_AUTH
     • Client secret
     • ******
     • Advanced authentication settings
     • Enable token revocation
     • Enable prevent user existence errors
     • hosted UI
     • callback URLS (for local testing)
       • http://localhost:8000/accounts/amazon-cognito/login/callback/
       • http://localhost:8000/admin/
     • Identity providers
       • Cognito user pool directory
     • OAuth grant types
       • Authorization code grant
     • OpenID Connect scopes
       • email
       • openid
       • profile

• see the actual API clients in AWS for any configs missing here