Background & Business Value
A lot of applications need access to non-sensitive data (P1). To provide for those needs we will use the Campus API Gateway to restrict access to only known clients. But, those clients will NOT need to be known to the Resource Server. This should be the simplest machine-to-machine interactions the Campus API Gateway needs to provide.
Goals
- Provide access to non-sensitive data (P1)
- Provide the least amount of security needed to gain access
- Enforce security through all access going through the Campus API Gateway
- Enforce security through IP/DNS access restrictions to the Resource Servers
Out of Scope
- Anything that has to do with data classified as P2 or higher.
Assumptions
- Campus IdM will support client_credential grant using
ucsbNetId
andpassword
for Application Accounts (Service Accounts).- Application Accounts (Service Accounts) Description from ETSC (UCSB isDesk):
> 2018-05-25 10:06:09 - Laurie Branagan (Additional comments)
> App accounts were created to allow for programmatic access to the
> directory without embedding a person's credentials in the application. They
> were not scoped to be used for authorization beyond access to the
> directory. It's understood this utility is somewhat limited.
> If what you're requesting is non-person entities in the directory - That
> feature is on the roadmap document that the Identity Advisory Group drafted
> last year. It has not been implemented.
- Application Accounts (Service Accounts) Description from ETSC (UCSB isDesk):
- Campus IdM will support an OAuth 2.0 introspection endpoint.
- Campus IdM will be able to store the
Apigee client_id
. - All calls will be over HTTPS.
Requirements
Ticket(s) | Title | User Story | Priority | Notes |
---|---|---|---|---|
Call Non-Sensitive API | As a Client Developer, I need to authenticate my calls to the Campus API Gateway in order to get access to non-sensitive endpoints (/students/lookups) | MUST HAVE |
| |
Authenticate Client | As a Campus IdM Admin, I need to authenticate the Client Application before the Campus API Gateway can grant access | MUST HAVE |
| |
Client Info Storage in Campus API Gateway | As a Campus API Admin, I need to retrieve Client Application information for future request verifications. | MUST HAVE |
|
User Interaction, Design & Architecture
Service Architecture (PowerPoint)
Sequence Diagram (WebSequenceDiagrams Link)
Examples and References
Questions
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome | Decision Date |
---|---|---|
Will the Apigee server (using an Apigee SVC Account ucsbNetId and password be able to retrieve the identity information from the OAuth system? |