Usage: Application to Resource Server Requirements

Project TitleCampus API Gateway
Target Release
Epic
Document Status
DRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background & Business Value

Systems which contain protected data (P2 or higher) need to permissions setup around who can access data. The identity information of the system authorized to access the data needs to be known to the Resource Server (Service). To do this we need a means to get the ID of the client application which is retrieving the information.

Real World Scenario: An Engineering web application needs to look up the registrations status for a given student. The web application will need to call through the API Gateway to the Registrations service. The Registrations service will need to know who the client application is in order to limit the scope of students that can be looked up (ie. the Engineering web app call only look up Engineering students).

Goals

Out of Scope

  • Any operation that requires knowing who the actual user of the calling/client application is.
  • Defining Resource Server (Service) Authorization/Permissions System.

Assumptions

Requirements

Must meet all requirements from Usage: Application to Campus API Gateway Requirements.

Ticket(s)TitleUser StoryPriorityNotes

Verify Client in Resource Server (Service)As a Resource Service Developer, I need to verify/validate the Access Token sent in the request. I need this to return the unique identifier(s) used to lookup permissions.MUST HAVE
  • The PingIdentity server should provide validate_bearer grant in order to get back the Client Applications ucsbNetId and other unique identifiers (ie. ucsbCampusId, etc).

Authorize Client in Resource Server (Service)As a Resource Service Developer, I need to be able to lookup permissions and enforce access authorization.MUST HAVE
  • For application specific permissions, the Authorization Provider should be determined by the Resource Service Developer. This can be something created solely by the developer for their needs or it can be a campus provided solution.

User Interaction, Design & Architecture

Service Architecture for OAuth Token (PowerPoint)


Sequence Diagram OAuth Token (WebSequenceDiagrams Link)



Service Architecture for OAuth JWT (PowerPoint)



Sequence Diagram OAuth JWT (WebSequenceDiagrams Link)


Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

QuestionOutcomeDecision Date
Will the Web API service (using an RegistrationSVC Account ucsbNetId and password be able to retrieve the identity information from the OAuth system?