Background & Business Value
Frequently when updated a resource not only does the Calling Application need to be known, but the End User that is attempting to perform the update also needs to be known. Either one or both are needed to properly determine if the action is authorized, while both are needed for audit logging.
Goals
- All Goals from Usage: Application to Resource Server Requirements
- Provide a way to get identifying information for both the Client Application and the End User.
- This identifiers should be used for both authorization and audit logging.
Out of Scope
- Defining Resource Server (Service) Authorization/Permissions System.
Assumptions
- All Assumptions from Usage: Application to Resource Server Requirements
- Campus IdM system will support the password grant type.
- It is a requirement that
ucsbNetId
's for Service Accounts must be unique and non-changing.- They should be able to be reused. But the expectation is that if a service account changes names, it will need to have it's permissions reestablished in all downstream systems.
Requirements
Must meet requirements from Usage: Application to Resource Server Requirements
Ticket(s) | Title | User Story | Priority | Notes |
---|---|---|---|---|
Identify End User | As a Client Developer, I need a way to provide the Resource Service with authenticated identity information about who is using my application. | MUST HAVE |
| |
Authenticate End User | As a Campus IdM Admin, I need authenticate the End User before the Resource Service can grant access. | MUST HAVE |
| |
Verify End User in Resource Server (Service) | As a Resource Service Developer, I need a way to provide the Resource Service with authenticated identity information about who is using my resource. | MUST HAVE |
| |
Authorize End User & App in Resource Server (Service) | As a Resource Service Developer, I need to be able to lookup permissions and enforce access authorization. | MUST HAVE |
| |
Verify App in Resource Server (Service) | As a Resource Service Developer, I need to be able to provide the Resource service with authenticated identity information about the client application using my resource. | NICE TO HAVE |
|
User Interaction, Design & Architecture
Service Architecture (PowerPoint)
Sequence Diagrams (WebSequenceDiagrams Link)
Examples and References
- Apigee: Using Third Party OAuth
- PingIdentity OAuth 2.0 Developers Guide
- PingIdentity OpenId Connect Developers Guide
Questions
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome | Decision Date |
---|---|---|
Can you use the Introspection Endpoint from the Resource Service? Is the original client_id and client_secret required? Or will it work with the client_id of the Resource Service (Registrations SVC ucsbNetId )? | ||
What does the Introspection Endpoint return for the password grant type? Does it return both the End User ucsbNetId and the client_ID (Client App ucsbNetId )? | It returns both the sub (End User ucsbNetId ) and the client_id (Client App ucsbNetId ). |