OAuth2 Authorization Code Grant with PKCE Flow auth.py

[dean-taylor]

I propose that as a minimal viable product the current industry best practice OAuth2 Authorization Code Grant flow with PKCE be included within the supported authorization for MONAI Label.

Use case: Integrate MONAI Label into a larger suite of applications or workflows maintaining authnz.
In order to provide a good user experience within a supported client base and include functionality to allow appropriate authorization especially in a fields of research that requires a level of security. This requires support of an industry standard SSO to ensure authentication and authorization is managed.

[dean-taylor]

At present MONAI Label includes the OAuth2 Resource Owner Credentials Grant (Keycloak - Direct Grant). This discussion is in relation to extending this functionality. Addition of OAuth2 Authorization Code flow with PKCE provides a better security stance, allows the inclusion of MONAI Label into other workflows, can provide a more seamless user experience and would potentially pave the way for this product to find future growth within research initiatives.

[diazandr3s]

Hi @dean-taylor,

Thanks for sharing your feedback.

Could you elaborate on the specific use case and the intended setup and workflow?

Thanks again!

[dean-taylor]

Within the context of supporting large scale infrastructure for research initiatives we are currently moving services into more cloud native environments to better manage resources and in turn lowering TCO/operational costs while increasing user experience (UX). As a consequence there is a dependancy on authnz to not only allow access to resources and data but include quotas, fair share policies and much more.

In relation to MONAI label the inclusion of OAuth Authorization Code flow with PKCE would firstly allow the service to natively support user session access to individual and/or groups based on local requirements. It would further allow MONAI label, as a trusted service, to access other resources on behalf of the user based on ACLs, such as DICOMweb endpoints.