Usage: Application to Resource Server Requirements
Background & Business Value
Systems which contain protected data (P2 or higher) need to permissions setup around who can access data. The identity information of the system authorized to access the data needs to be known to the Resource Server (Service). To do this we need a means to get the ID of the client application which is retrieving the information.
Real World Scenario: An Engineering web application needs to look up the registrations status for a given student. The web application will need to call through the API Gateway to the Registrations service. The Registrations service will need to know who the client application is in order to limit the scope of students that can be looked up (ie. the Engineering web app call only look up Engineering students).
Goals
- All Goals from Usage: Application to Campus API Gateway Requirements.
- Provide access to somewhat sensitive information (P2 or higher).
- Provide a way to pass across identity information from the calling/client application.
- For authorization and audit logging.
Out of Scope
- Any operation that requires knowing who the actual user of the calling/client application is.
- Defining Resource Server (Service) Authorization/Permissions System.
Assumptions
- All Assumptions from Usage: Application to Campus API Gateway Requirements.
- Campus PingIdentity system will provide the validate_bearer grant.
Requirements
Must meet all requirements from Usage: Application to Campus API Gateway Requirements.
Ticket(s) | Title | User Story | Priority | Notes |
---|---|---|---|---|
Verify Client in Resource Server (Service) | As a Resource Service Developer, I need to verify/validate the Access Token sent in the request. I need this to return the unique identifier(s) used to lookup permissions. | MUST HAVE |
| |
Authorize Client in Resource Server (Service) | As a Resource Service Developer, I need to be able to lookup permissions and enforce access authorization. | MUST HAVE |
|
User Interaction, Design & Architecture
Service Architecture for OAuth Token (PowerPoint)
Sequence Diagram OAuth Token (WebSequenceDiagrams Link)
Service Architecture for OAuth JWT (PowerPoint)
Sequence Diagram OAuth JWT (WebSequenceDiagrams Link)
Examples and References
Questions
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome | Decision Date |
---|---|---|
Will the Web API service (using an RegistrationSVC Account ucsbNetId and password be able to retrieve the identity information from the OAuth system? |