[system] - Login process with m8a Auth (Keycloak) for Zeus apps.

[smolinari]

Since the zeus apps (api and app) will be using Keycloak 100% of the time, we need a process for login which relies entirely on Keycloak as the initial IAM system.

• At login, the system will identify the user via Keycloak via "code authorization".

• No matter what page of the Zeus app the user enters, if the user does not have a Zeus app session, the system will look to m8a Auth (Keycloak) for an active session.

  • If yes, they are automatically logged in (SSO). If not, they are redirected to a login page.

• At login, the system will identify the user is properly synchronized between the m8a Zeus app database and m8a Auth (Keycloak). If not synchronized, the user will not be able to access the Zeus app.

• Once logged in, if the Zeus app session is no longer valid (user logs out or the session is timed out), only access to the Zeus app will end. Access to other system applications will continue via m8a Auth i.e. the user won't be logged out of the system completely.

• Once logged in, the user's session is handed over to the Zeus app, to follow its own session handling rules. m8a Auth will only be sync'ed within 10 hours, just to keep the refresh ability open.

• m8a team members must be first registered via an m8a team administrator in the Zeus app. see issue: [system] - Registration process for m8a team members #402