Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Google and Facebook have both an automated and manual verification and review process, according to the type of client, scope and claims the client has access to. (See https://developers.google.com/apps-script/guides/client-verification and https://support.google.com/cloud/answer/9110914?hl=en).

Verification Procedure

As of November 2019 the OAuth Clients needs to be verified in order to be usable. A dedicated OAuth Verification Job in the ops build system has been created to perform verification of a specific client. The following procedure can be used in order to verify a client:

  1. Once a request is received and the client needs to be verified, create a new ticket in JIRA with the client id

  2. Launch the OAuth Verification Job filling out the required parameters (Note: you will need a Jenkins account):

    1. SESSION_TOKEN: A valid session token for an admin user

    2. CLIENT_ID: the id of the client to verify

    3. ETAG: The etag of the client to verify (this is to ensure that the client didn’t change after the client details were read)

    4. VERIFY_STATUS: Leave enabled (deselecting would un-verify a client)

  3. Resolve the related JIRA issue

Initial Implementation

As from the design review meeting held on the 11th of November 2019 the synapse team decided that due to the number of expected use cases a complete verification process is not needed and the initial implementation will be based on white listing on a case by case the oauth clients:

  1. Client will not be usable after creation until verified. If a client is being (e.g. to get an authorization code or access token) used while not verified an error message should include a the email to contact in order to verify the client.

  2. In the Web Client a form to submit a Jira issue to the ACT team to request the client verification will be shown (as part of

    Jira Legacy
    serverSystem JIRA
    serverIdba6fb084-9827-3160-8067-8ac7470f78b2
    keySWC-4957
    )

  3. A user should be blocked in the web client from using a non verified client (

    Jira Legacy
    serverSystem JIRA
    serverIdba6fb084-9827-3160-8067-8ac7470f78b2
    keySWC-5043
    )

  4. An administrative API (Only ACT and admins can invoke this endpoint) will be added to verify a client:

    Code Block
    PUT /admin/oauth2/client/{id}/verified?status=<boolean>

...