Cognito client secrets - API client

[fyliu]

Dependency

• Ready: Cognito update 323 #324

Overview

As discussed in #147, we need to implement app tokens in addition to user cognito tokens so we can restrict access to approved apps only. i.e. VRMS, website, CTJ.

• Missing Permission Type #147

Action Items

• research ways to add app tokens in django and DRF
• compare a few if there's many and write a decision record (DR) on why we should choose one
• create a work issue to implement the app token
• if Ready: Cognito update 323 #324 doesn't use client secret, update Technical Debt (security): Implement client_secret in login #242 to point to Enable SSO for admin screen #323
• close this issue as done since there's a work issue for it and configure AWS resources - API clients #328 also creates API clients with client secret enabled.

Resources/Instructions

• https://djangopackages.org and search for token
• Cognito's app client with client secret is an option

[fyliu]

I'm not sure if the role, stakeholder, feature labels are right.

I feel the "Infrastructure" feature might be wrong on this. Should this be under something like "Authentication"?

[ExperimentsInHonesty]

the labels are correct. Discussed during meeting with Fang and team.