Usage: Application to Campus API Gateway Requirements

Project Title	Campus API Gateway
Target Release
Epic
Document Status	DRAFT
Document Owner
Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background & Business Value

A lot of applications need access to non-sensitive data (P1). To provide for those needs we will use the Campus API Gateway to restrict access to only known clients. But, those clients will NOT need to be known to the Resource Server. This should be the simplest machine-to-machine interactions the Campus API Gateway needs to provide.

Real World Scenario: A web application needs to retrieve Registrar class level code translations in order to display it on the screen. The web application will need to call through the API Gateway to the Lookupsr service. The Lookups service does not need to know what client is calling it; it only needs to trust that the API Gateway verified the client has permissions to make the call.

Goals

Provide access to non-sensitive data (P1)
Provide the least amount of security needed to gain access
Enforce security through all access going through the Campus API Gateway
Enforce security through IP/DNS access restrictions to the Resource Servers

Out of Scope

Anything that has to do with data classified as P2 or higher.

Assumptions

Campus IdM will support client_credential grant using ucsbNetId and password for Application Accounts (Service Accounts).
Basic Security Requirements
Apigee Gateway OAuth Token will having matching lifespan as Campus IdM OAuth Token.

Requirements

Title	User Story	Priority	Notes
Call Non-Sensitive API	As a Client Developer, I need to authenticate my calls to the Campus API Gateway in order to get access to non-sensitive endpoints (/students/lookups)	MUST HAVE	Should only need to provide Service Account `ucsbNetId` and `password`. OAuth call should go against Apigee OAuth endpoint. Apigee will pass through the call to Campus IdM The Campus IdM response will pass through back to the client
Authenticate Client	As a Campus IdM Admin, I need to authenticate the Client Application before the Campus API Gateway can grant access	MUST HAVE	Should use client_credential grant. Will return `Apigee client_id`. If not directly in the response, then the information should be attainable from an Introspection Endpoint.
Client Info Storage in Campus API Gateway	As a Campus API Admin, I need to retrieve Client Application information for future request verifications.	MUST HAVE	Campus IdM `access token`s will need to be stored in the Apigee OAuth Provider. Apigee will need to store the `access token` and `client_id` in the OAuthV2/GenerateAccessToken policy. This will be used for verification/validation in subsequent calls from the client through Apigee.

User Interaction, Design & Architecture

Service Architecture for OAuth Token (PowerPoint)

Sequence Diagram for OAuth Token (WebSequenceDiagrams Link)

Service Architecture for OAuth JWT (PowerPoint)

Sequence Diagram for OAuth JWT (WebSequenceDiagrams Link)

Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

Question Outcome Decision Date

What is the format of the result JWT contents?

Do Service Accounts have to be created in a particular way to ensure the desired claims are always returned?

Desired Claims

ucsbNetId of Resource Owner
ucsbCampusId of Resource Owner
ucsbNetId of Client