Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A lot of applications need access to non-sensitive data (P1). To provide for those needs we will use the Campus API Gateway to restrict access to only known clients. But, those clients will NOT need to be known to the Resource Server. This should be the simplest machine-to-machine interactions the Campus API Gateway needs to provide.

Real World Scenario: A web application needs to retrieve Registrar class level code translations in order to display it on the screen. The web application will need to call through the API Gateway to the Lookupsr service. The Lookups service does not need to know what client is calling it; it only needs to trust that the API Gateway verified the client has permissions to make the call.

Goals

  • Provide access to non-sensitive data (P1)
  • Provide the least amount of security needed to gain access
  • Enforce security through all access going through the Campus API Gateway
  • Enforce security through IP/DNS access restrictions to the Resource Servers

...

  • Campus IdM will support client_credential grant using ucsbNetId and password for Application Accounts (Service Accounts).
  • Application Accounts (Service Accounts) Description from ETSC (UCSB isDesk):
    > 2018-05-25 10:06:09 - Laurie Branagan (Additional comments)
    > App accounts were created to allow for programmatic access to the
    > directory without embedding a person's credentials in the application. They
    > were not scoped to be used for authorization beyond access to the
    > directory. It's understood this utility is somewhat limited.
    > If what you're requesting is non-person entities in the directory - That
    > feature is on the roadmap document that the Identity Advisory Group drafted
    > last year. It has not been implemented.
  • Campus IdM will support an OAuth 2.0 introspection endpoint.
  • Campus IdM will be able to store the Apigee client_id.
  • All calls will be over HTTPS.
  • Basic Security Requirements
  • Apigee Gateway OAuth Token will having matching lifespan as Campus IdM OAuth Token.

Requirements

Ticket(s)TitleUser StoryPriorityNotes

Call Non-Sensitive APIAs a Client Developer, I need to authenticate my calls to the Campus API Gateway in order to get access to non-sensitive endpoints (/students/lookups)
Status
colourGreen
titlemust have
  • Should only need to provide Service Account ucsbNetId and password.
  • OAuth call should go against Apigee OAuth endpoint.
    • Apigee will pass through the call to Campus IdM
    • The Campus IdM response will pass through back to the client

Authenticate ClientAs a Campus IdM Admin, I need to authenticate the Client Application before the Campus API Gateway can grant access
Status
colourGreen
titlemust have

Client Info Storage in Campus API GatewayAs a Campus API Admin, I need to retrieve Client Application information for future request verifications.
Status
colourGreen
titlemust have
  • Campus IdM access tokens will need to be stored in the Apigee OAuth Provider.
  • Apigee will need to store the access token and client_id in the OAuthV2/GenerateAccessToken policy. This will be used for verification/validation in subsequent calls from the client through Apigee.

User Interaction, Design & Architecture

Service Architecture for OAuth Token (PowerPoint)Image Removed

Image Added


Sequence Diagram for OAuth Token (WebSequenceDiagrams Link)

Image Added


Service Architecture for OAuth JWT (PowerPoint)

Image Added


Sequence Diagram for OAuth JWT (WebSequenceDiagrams Link)
Image Removed
Image Added

Examples and References

Questions

...

QuestionOutcomeDecision Date
Will the Apigee server (using an Apigee SVC Account ucsbNetId and password be able to retrieve the identity information from the OAuth system?What is the format of the result JWT contents?

Do Service Accounts have to be created in a particular way to ensure the desired claims are always returned?

Desired Claims

  • ucsbNetId of Resource Owner
  • ucsbCampusId of Resource Owner
  • ucsbNetId of Client