Agenda

Presenter

Duration

Discussion

Authentication and Cross-BB Authorization

Steve Conrad

PSRAMKUMAR

40 minutes

For a Use Case, how does user authenticate and how is authorization passed between BBs?

• This should be documented in non-functional requirements

Authentication

• Is authentication provided by ID BB? What is returned - a JWT?

Cross-BB Authorization

• How can we make a request from one BB to another and pass authorization? How does a BB know this is a valid request?

• How are we thinking about IAM/RBAC? How do we differentiate between different users and what they can do?

• How does this work with IM? Without IM?

• Ensure that adaptors pass authorization/tokens through?

Ramkumar - background on previous conversations:

• 2 distinct topics - one is around user permissions and one around bb-to-bb permissions

  • IM can manage those bb-to-bb permissions, but doesn’t account for user permissions

  • There is a difference between ‘foundational' registration and registration into a specific program/use case

  • ID building block provides a token that corresponds to a foundational ID, as well as data about a specific program that they are authorized to access

  • Additional role-based access needs to be provided - by specific BBs

  • There is a separate JWT token that is passed between services

Questions - where are roles configured and assigned for users?

PubSub/Rooms

Aleksander Reitsakas

15 minutes

How should we define Rooms – are they oriented around Event Types or more broadly?

Next steps/AOB

Steve Conrad

5 minutes

What should we prioritize?

• GERA document/review - articulate core concerns

• Workflows/Core Capabilities

• Testing with Information Mediator

• Revisit Security Specifications

• Mapping out BB interactions/domain diagrams

  • Aleksander has some resources/starting point

    • Overall structure of GovStack solution

  • Sandbox team has happy flow document that we can walk through

    • Minimum Viable Product (MVP) eg. Happy Flow