The Single Sign-On squad is currently working on a single sign on (SSO) feature, this enhancement is expected to improve security by standardizing session management, streamlining access across platforms and support integration with external identity providers.
With the SSO feature, users will be able to use the OpenID client library to handle the OpenID Connect (OIDC) workflows. So far, the squad has been able to compare various authentication mechanisms such as Proxy Auth and JWT session strategies and the group is trying to choose a session that integrates cleanly with the CouchDB to allow alignment with the existing infrastructure easily. The team is also working on updating the CHT login page and some of the API endpoints on user creation logic to support the SSO flow, exploring options that will ensure that there is secure session management (currently, once a session cookie is issued, it will remain valid until expiry despite the fact that the user has been deleted on the identity provider).
The Squad will also be working on documenting the final login session creation and logout flow, strengthen error handling to make sure users receive clear and consistent error messages whenever they try to log in and add various aspects such as rate limiting which can protect the systems from login numeration or abuses. Thank you @Kenyuri for sharing the amazing squad progress updates, here is the recording of this presentation.
The Community is also grateful to the International Committee of the Red Cross, Living Goods, Ssollinc and Medic teams for their support in building this feature.