...
A lot of applications need access to non-sensitive data (P1). To provide for those needs we will use the Campus API Gateway to restrict access to only known clients. But, those clients will NOT need to be known to the Resource Server. This should be the simplest machine-to-machine interactions the Campus API Gateway needs to provide.
Real World Scenario: A web application needs to retrieve Registrar class level code translations in order to display it on the screen. The web application will need to call through the API Gateway to the Lookupsr service. The Lookups service does not need to know what client is calling it; it only needs to trust that the API Gateway verified the client has permissions to make the call.
Goals
- Provide access to non-sensitive data (P1)
- Provide the least amount of security needed to gain access
- Enforce security through all access going through the Campus API Gateway
- Enforce security through IP/DNS access restrictions to the Resource Servers
...
- Campus IdM will support client_credential grant using
ucsbNetId
andpassword
for Application Accounts (Service Accounts). - Basic Security Requirements
- Apigee Gateway OAuth Token will having matching lifespan as Campus IdM OAuth Token.
Requirements
Ticket(s) | Title | User Story | Priority | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Call Non-Sensitive API | As a Client Developer, I need to authenticate my calls to the Campus API Gateway in order to get access to non-sensitive endpoints (/students/lookups) |
|
| |||||||
Authenticate Client | As a Campus IdM Admin, I need to authenticate the Client Application before the Campus API Gateway can grant access |
|
| |||||||
Client Info Storage in Campus API Gateway | As a Campus API Admin, I need to retrieve Client Application information for future request verifications. |
|
|
User Interaction, Design & Architecture
Service Architecture for OAuth Token (PowerPoint)
Sequence Diagram for OAuth Token (WebSequenceDiagrams Link)
Service Architecture for OAuth JWT (PowerPoint)
Sequence Diagram for OAuth JWT (WebSequenceDiagrams Link)
...
- Apigee: Using Third Party OAuth
- PingIdentity OAuth 2.0 Developers GuideApigee JWT Overview
Questions
Below is a list of questions to be addressed as a result of this requirements document:
...