Allows authorised users to access the GOV.UK draft stack
- AWS (EKS)
- Supporting apps
App to add authentication to the draft version of GOV.UK, so that only users with
a signon account - or a valid JSON web token (JWT) - can access it.
This is a Rails application that proxies requests to an upstream service, first
performing authentication using gds-sso to ensure that only authenticated
users are able to view the site. It sets an
so that the upstream service can identify the user.
The application also supports bypassing authentication via a valid JWT token.
If the URL being requested includes a
token querystring containing a valid
token encoded with the value in the
JWT_AUTH_SECRET environment variable, and
that token contains a
sub key, the value of that key is passed upstream in
GOVUK_AUTH_BYPASS_ID header. NB, the
sub (or “subject”) key is one of the
reserved claims of a JWT.
If a user is authenticated using gds-sso and a JWT token is also provided, both
sets of information are passed upstream. It is up to the upstream application how
to handle these cases.
Some of the thinking behind this is documented in RFC 13.
Running the app
In GOV.UK Docker,
GOVUK_UPSTREAM_URI defaults to government-frontend. This
means that, when you request
authenticating-proxy.dev.gov.uk, it should behave
the same as requesting
Running the test suite
bundle exec rake