Single Sign-On (Identity Provider)

[LudoLogical]

Story

As a user, I want my login request to be validated by an SSO backend.

Description

Create and implement the following API endpoints:

1. /sso for creating and signing SSO JWTs when supplied correct username and password information. It will be supplied with an email, password, and redirect URL.
2. /auth for verifying SSO JWTs and creating and signing corresponding identity JWTs. It will be supplied with an SSO JWT and a redirect URL.
3. /identity for verifying and decoding identity JWTs. It will be supplied with an identity JWT.

Acceptance Criteria

1. /sso returns a 401 if supplied with an invalid username/password pair
2. /sso returns an authorization cookie containing a signed SSO JWT if supplied with a valid username/password pair
3. /auth returns a redirect to platform.utdnebula.com/signin if not supplied with a valid SSO JWT
4. /auth returns a redirect to the supplied URL, with an identity JWT as a query parameter, if supplied with a valid SSO JWT.
5. /identity returns a 401 if it is not supplied with a valid identity JWT.
6. /identity returns the payload of a supplied valid identity JWT.
7. /sso and /auth sign their JWTs with unique secrets.

Notes

This article describes a possible implementation.