.. _aaa: Authentication, Authorisation and Auditing ============================================= The OET API is secured using the `ska-aaa-helpers library `_. This means to use the API, a valid token with the correct role and scopes for the specific API resource must be included in the request. The OET CLI and OET UI have login functionality and will include the tokens in the requests by default when logged in. For more information on the general AAA architecture, see `Solution Intent `_ OET CLI -------- The CLI offers an ``oet login`` command that will open the SKAO Entra login page in a browser. The login session will then be safely cached locally and tokens sent in subsequent CLI commands. Component Testing ------------------- As the component tests exercise a real deployment of the API, they need to include tokens in the requests that have the correct permissions for the API resource and are properly signed. For the real deployment, this token signing is done by Microsoft's private keys and then validated by the OET server using the Microsoft public keys. In the tests, rather than use real tokens signed by Microsoft we want to be able to mint test tokens. For this to work, the OET server needs to be deployed to use the corresponding test public keys for verification. This can be done by setting the Helm value ``--set ska-oso-oet.pipeline_test_deployment=true`` .. warning:: This option should never be used for a persistent deployment as it introduces an obvious security backdoor.