...
Agenda | Presenter | Duration | Discussion |
Authentication and Cross-BB Authorization | 40 minutes | For a Use Case, how does user authenticate and how is authorization passed between BBs?
Authentication
Cross-BB Authorization
Ramkumar - background on previous conversations:
Questions - where are roles configured and assigned for users? How do we align these 2 different tokens? Aare - abstract conversation is different than what happens in reality. Services are offered by a specific organization.
Authorization is based on context, just just role - it can be dynamic (ie. a doctor may have limited access to a patient record or an auditor can have limited access to an individual’s tax record) Policies can be used to manually enable functionality There are different scenarios - co-located services (behind the same IM) as well as across different organizations (through IM) Aleksander - IM sits between applications, not BBs. Apps are composed of one or more BBs (co-located). An authorization mechanism is needed for an application, and another is needed for cross-application/cross-organization communication.
Question - should we have a standard authorization and/or API security mechanism that we define? Is this the token that is provided by ID BB? Question - should an application have its own authorization mechanism, or should it always use ID BB? Is there a ‘local’/functional ID? How does it tie to foundational ID?
Uwe - we don’t have a definition of an ‘application’ within GovStack Aare - also need a definition for ‘organization’ Ramkumar - how does consent fit in? Dynamic permissions Sreepathy - Is IM used to protect between 2 different applications? Applications may have multiple BBs
Next steps: Steve to consolidate into a first rough draft to present next week | |
PubSub/Rooms | 15 minutes | How should we define Rooms – are they oriented around Event Types or more broadly? Push to next week | |
Next steps/AOB | 5 minutes | What should we prioritize?
|
...