Usage: Application to Resource Server Requirements

Project Title	Campus API Gateway
Target Release
Epic
Document Status	DRAFT
Document Owner
Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background & Business Value

Systems which contain protected data (P2 or higher) need to permissions setup around who can access data. The identity information of the system authorized to access the data needs to be known to the Resource Server (Service). To do this we need a means to get the ID of the client application which is retrieving the information.

Real World Scenario: An Engineering web application needs to look up the registrations status for a given student. The web application will need to call through the API Gateway to the Registrations service. The Registrations service will need to know who the client application is in order to limit the scope of students that can be looked up (ie. the Engineering web app call only look up Engineering students).

Goals

All Goals from Usage: Application to Campus API Gateway Requirements.
Provide access to somewhat sensitive information (P2 or higher).
Provide a way to pass across identity information from the calling/client application.
- For authorization and audit logging.

Out of Scope

Any operation that requires knowing who the actual user of the calling/client application is.
Defining Resource Server (Service) Authorization/Permissions System.

Assumptions

All Assumptions from Usage: Application to Campus API Gateway Requirements.
Campus PingIdentity system will provide the validate_bearer grant.

Requirements

Must meet all requirements from Usage: Application to Campus API Gateway Requirements.

Ticket(s)	Title	User Story	Priority	Notes
	Verify Client in Resource Server (Service)	As a Resource Service Developer, I need to verify/validate the Access Token sent in the request. I need this to return the unique identifier(s) used to lookup permissions.	MUST HAVE	The PingIdentity server should provide validate_bearer grant in order to get back the Client Applications `ucsbNetId` and other unique identifiers (ie. `ucsbCampusId`, etc).
	Authorize Client in Resource Server (Service)	As a Resource Service Developer, I need to be able to lookup permissions and enforce access authorization.	MUST HAVE	For application specific permissions, the Authorization Provider should be determined by the Resource Service Developer. This can be something created solely by the developer for their needs or it can be a campus provided solution.

User Interaction, Design & Architecture

Service Architecture for OAuth Token (PowerPoint)

Sequence Diagram OAuth Token (WebSequenceDiagrams Link)

Service Architecture for OAuth JWT (PowerPoint)

Sequence Diagram OAuth JWT (WebSequenceDiagrams Link)

Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

Question	Outcome	Decision Date
Will the Web API service (using an RegistrationSVC Account `ucsbNetId` and `password` be able to retrieve the identity information from the OAuth system?