Versions Compared

Old Version 1

changes.mady.by.user Steven Maglio

Saved on

compared with

New Version 2

changes.mady.by.user Steven Maglio

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Page Properties


Project TitleCampus API Gateway
Target Release
Epic
Document Status
Status
titleDRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)


Background & Business Value

Frequently when updated a resource not only does the Calling Application need to be known, but the End User that is attempting to perform the update also needs to be known. Either one or both are needed to properly determine if the action is authorized, while both are needed for audit logging.

Goals

Out of Scope

  • Defining Resource Server (Service) Authorization/Permissions System.

Assumptions

Requirements

Must meet requirements from Usage: Application to Resource Server Requirements

Ticket(s)TitleUser StoryPriorityNotes

Identify End UserAs a Client Developer, I need a way to provide the Resource Service with authenticated identity information about who is using my application.
Status
colourGreen
titlemust have
  • Should need both Service Account ucsbNetId and password, and the End User ucsbNetId and password.
  • OAuth call should go against Apigee OAuth endpoint.
    • Apigee will pass through the call to Campus IdM
    • The Campus IdM response will pass through back to the client

Authenticate End UserAs a Campus IdM Admin, I need authenticate the End User before the Resource Service can grant access.
Status
colourGreen
titlemust have

Verify End User in Resource Server (Service)As a Resource Service Developer, I need a way to provide the Resource Service with authenticated identity information about who is using my resource.
Status
colourGreen
titlemust have

Authorize End User & App in Resource Server (Service)As a Resource Service Developer, I need to be able to lookup permissions and enforce access authorization.
Status
colourGreen
titlemust have
  • For application specific permissions, the Authorization Provider should be determined by the Resource Service Developer. This can be something created solely by the developer for their needs or it can be a campus provided solution.

Verify App in Resource Server (Service)As a Resource Service Developer, I need to be able to provide the Resource service with authenticated identity information about the client application using my resource.
Status
colourYellow
titlenice to have

User Interaction, Design & Architecture

Service Architecture (PowerPoint)

Image Added

Sequence Diagrams (WebSequenceDiagrams Link)

Image Added

Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

QuestionOutcomeDecision Date
Can you use the Introspection Endpoint from the Resource Service? Is the original client_id and client_secret required? Or will it work with the client_id of the Resource Service (Registrations SVC ucsbNetId)?

What does the Introspection Endpoint return for the password grant type? Does it return both the End User ucsbNetId and the client_ID (Client App ucsbNetId)?It returns both the sub (End User ucsbNetId) and the client_id (Client App ucsbNetId).