{"id":20726858,"url":"https://github.com/hmcts/service-auth-provider-app","last_synced_at":"2025-04-23T18:49:27.364Z","repository":{"id":37820122,"uuid":"125542296","full_name":"hmcts/service-auth-provider-app","owner":"hmcts","description":"Service to Service Authorisation Service","archived":false,"fork":false,"pushed_at":"2025-04-23T17:42:09.000Z","size":2466,"stargazers_count":4,"open_issues_count":13,"forks_count":9,"subscribers_count":173,"default_branch":"master","last_synced_at":"2025-04-23T18:41:39.878Z","etag":null,"topics":["googleotp","jenkins-cft","jenkins-cft-j-z","onetimepassword","platops-owned-app","s2sauth","team-platform"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hmcts.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-03-16T16:28:54.000Z","updated_at":"2025-04-18T09:05:51.000Z","dependencies_parsed_at":"2023-09-23T01:31:19.394Z","dependency_job_id":"88302b6a-7bb1-4f73-b585-ade3964ea6e6","html_url":"https://github.com/hmcts/service-auth-provider-app","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmcts%2Fservice-auth-provider-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmcts%2Fservice-auth-provider-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmcts%2Fservice-auth-provider-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmcts%2Fservice-auth-provider-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hmcts","download_url":"https://codeload.github.com/hmcts/service-auth-provider-app/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250496139,"owners_count":21440225,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["googleotp","jenkins-cft","jenkins-cft-j-z","onetimepassword","platops-owned-app","s2sauth","team-platform"],"created_at":"2024-11-17T04:27:54.093Z","updated_at":"2025-04-23T18:49:27.334Z","avatar_url":"https://github.com/hmcts.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Service auth provider\n\n\n[![Build Status](https://travis-ci.org/hmcts/service-auth-provider-app.svg?branch=master)](https://travis-ci.org/hmcts/service-auth-provider-app)\n[![Codacy Badge](https://api.codacy.com/project/badge/Grade/0cb10a161dc24d0092470cda7c304c87)](https://app.codacy.com/app/HMCTS/service-auth-provider-app)\n[![codecov](https://codecov.io/gh/hmcts/service-auth-provider-app/branch/master/graph/badge.svg)](https://codecov.io/gh/hmcts/service-auth-provider-app)\n\nThis microservice is used to authenticate services across HMCTS.\n\n## Getting Started\n\n### Prerequisites\n- [JDK 8](https://java.com)\n \n### Building\nTo build the project execute the following command:\n```bash\n$ ./gradlew build\n```\n\n### Configuration\n\nIn order to setup Service Auth Provider to work with a client service, you need to do the following:\n\n* In the Azure Key Vault named `s2s-{environment}` add the service's secret used for generating OTPs (one-time passwords).\nThis has to be done in each environment the service is going to be deployed to. Service Auth Provider will use that secret\nfor validating OTPs. It has to be a BASE32-encoded sequence of ten random bytes (16 characters after encoding). By convention,\nthe Azure Key Vault secret's name should follow this format: `microservicekey-{service-name}`. [Here's](#generating-secret) how to generate it.\n* To make it work on AKS , Add the client service name (as in HTTP requests ) and Azure Key Vault secret created in the previous steps to [values.yaml](charts/rpe-service-auth-provider/values.yaml). \nA service **TEST_SERVICE** with secret key **microservicekey-test-service**  needs to be configured as below :\n\n ```\njava:\n  keyVaults:\n    \"s2s\":\n      secrets:\n        - name: microservicekey-test-service\n          alias: microserviceKeys.test_service\n```\n Note: **test_service** is lower cased in alias mapping, though its not mandatory. \n* Bump the helm chart minor version in [Chart.yaml](charts/rpe-service-auth-provider/Chart.yaml) \n\n#### \u003ca name=\"generating-secret\"\u003e\u003c/a\u003eGenerating the microservice secret\n\nHere's a sample Java snippet to generate a microservice secret:\n\n```\nbyte[] bytes = new byte[10];\nSecureRandom.getInstanceStrong().nextBytes(bytes);\nString secret = new Base32().encodeAsString(bytes);\n```\n\nSample Python code to generate that secret:\n\n```\nimport os\nimport base64\nbase64.b32encode(os.urandom(10))\n```\n#### Writing a secret into all the needed vaults\nPlease make sure `realpath` is installed as script uses it.\n```\nUbuntu: sudo apt-get install coreutils\nOS X  : brew install coreutils\n\nOn Debian or Ubuntu realpath should be installed by default\n```\nThere's a script provided `./bin/set-secret-in-all-vaults \u003cmicroservice-name\u003e`\nThis will write the secret into all the vaults and then it will run the check script to check it can find the secret\n\nYou need to have the `azure-cli` installed and be logged in (`az login`) for it to work, also ensure you are in the `dcd_reform_dev_logs` group in AAD.\n\n#### Getting the change to production\nCreate a pull request after you've set the secret in all vaults, once your build is green you can request a review by posting on the #platops-code-review Slack channel.\nIf the build is green, and the PR template was filled out correctly showing that the secret has been entered in all vaults then the change will be merged and a build automatically triggered. Once the build is finished and passed it will be automatically deployed to the AAT and production environments. If you need it in demo you can merge the code to demo and `git push`.\n\n#### Reading the secret in client service's infrastructure code\n\nOnce the service's secret is stored in Azure Key Vault, it can be retrieved\nfrom the S2S key vault with Terraform and written into your own vault.\n\n```hcl\ndata \"azurerm_key_vault\" \"key_vault\" {\n  name                = \"${var.product}-${var.env}\" # update these values if required\n  resource_group_name = \"${var.product}-${var.env}\" # update these values if required\n}\n\ndata \"azurerm_key_vault\" \"s2s_vault\" {\n  name                = \"s2s-${var.env}\"\n  resource_group_name = \"rpe-service-auth-provider-${var.env}\"\n}\n\ndata \"azurerm_key_vault_secret\" \"key_from_vault\" {\n  name         = \"microservicekey-ccd-data\" # update key name e.g. microservicekey-your-name\n  key_vault_id = data.azurerm_key_vault.s2s_vault.id\n}\n\nresource \"azurerm_key_vault_secret\" \"s2s\" {\n  name         = \"s2s-secret\"\n  value        = data.azurerm_key_vault_secret.key_from_vault.value\n  key_vault_id = data.azurerm_key_vault.key_vault.id\n}\n```\n\n### Running\nTo run the app execute:\n```bash\n$ ./gradlew bootRun\n```\nYou can also run the app on docker.  \nTo build:\n```bash\n$ docker-compose build\n```\nAnd to run:\n```bash\n$ docker-compose up\n```\nDockerized app comes with preconfigured sample service. See [docker-compose.yml](docker-compose.yml) for details.\n\n## Documentation\nAPI documentation is provided with Swagger.  \nJson spec is available under standard `/v3/api-docs` route.\n\nFlow diagram can be found [here](docs/design.md)\n\n## Developing\n\n### Unit tests\nTo run all unit tests execute the following command:\n```bash\n$ ./gradlew test\n```\n\n## License\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE.md) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhmcts%2Fservice-auth-provider-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhmcts%2Fservice-auth-provider-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhmcts%2Fservice-auth-provider-app/lists"}