Agenda

Presenter

Duration

Discussion

Management of UX switching

PSRAMKUMAR

40 minutes

Context - payments BB onboarding new users (after eligibility determination). Registration BB will send message with link that will direct to a UX provided by Payments for the user to enter financial details (account #, etc)

Jaume: standard process is that the UX should always be provided by the application, not by individual BBs.

• You should have to authenticate on the external platform before entering information

Ramkumar: what should the mechanism be? Iframe/embedding or redirection?

Do we need to pass a token when switching UX? How does OIDC handle this? How do we know what user/screen to return to?

2 scenarios - one is self-directed (I am managing the flow on my own), the other is operator-assisted

Image Added

Registration - needs to hand over UX to payment. Provides redirect link. Information entered in payment UX. How do we return? Do we need a return URL along with a token that identifies the user/session as well as information on the success/failure of the transaction?

• Do we require the user to authenticate on the external UX?

Aleksander - do we need an SSO mechanism?

Is there a difference between synchronous and async? Synchronous - user is going directly from registration to payments. Async - registration sends an SMS link to mobile and user accesses outside of the context of the app

• Sync can happen using UX redirection

• Async requires backend calls to tell calling BB that data has been collected

Jaume - we need to track consent/authorization being given and for how long (this is different than consent BB functionality)

• Async should follow the same process as the synchronous flow

Ramkumar to map out async flow. Ingmar to develop sync flow (biometric authentication or authorization)

Authorization of systems

Jaume DUBOIS

10 minutes

User authenticates into an application. After that, authorization should be system to system

Aare: authorization of system is different than authorization of organization

Need a clear documentation of the layers and how an application consumes those layers. GovStack is the lower layers

Image Added

Capabilities

Steve Conrad

15 minutes

How should we define Capabilities?

Document from Jaume: https://docs.google.com/presentation/d/11zg0PQQKbpWFxwAc_oK12iM83ax8hUpBqlJHwB-kLGk/edit#slide=id.g1ab9444641b_0_218

Next steps/AOB

Steve Conrad

5 minutes

What should we prioritize?

• GERA document/review - articulate core concerns

• Workflows/Core Capabilities

• Testing with Information Mediator

• Revisit Security Specifications

• Mapping out BB interactions/domain diagrams

  • Aleksander has some resources/starting point

    • Overall structure of GovStack solution

  • Sandbox team has happy flow document that we can walk through

    • Minimum Viable Product (MVP) eg. Happy Flow