Workflow Integration (ID management example)
Feb 15, 2023
Participants: Ain, Aleksander, Sasi, Taylor, Wes, Steve, Esther
Agenda:
Workflow orchestration
How do we manage orchestration in the sequence outlined in the IM conversation? How will the user request be managed behind the scenes, as there are multiple calls that need to be made before responding to the user
How does a BB know that the incoming requests are valid?
How do we manage scope for a full user journey - how do we know that a request is applicable to a specific scope for a particular user request?
Sasi provided a demo showing flow for ID building block using OpenID connect:
Login page provides client ID and redirect URL, along with other parameters such as state. The redirect URL contains a type and scope:
https://idp.collab.mosip.net/authorize?nonce=ere973eieljznge2311&state=eree2311&client_id=5E8y3RgAPqJsyei_vS_K7PpP192_tkpFAoUSuGXantA&redirect_uri=https://healthservices.collab.mosip.net/userprofile&response_type=code&scope=openid%20profile&acr_values=mosip:idp:acr:generated-code%20mosip:idp:acr:biometrics%20mosip:idp:acr:static-code&claims=%7B%22userinfo%22:%7B%22given_name%22:%7B%22essential%22:true%7D,%22phone_number%22:%7B%22essential%22:false%7D,%22email%22:%7B%22essential%22:true%7D,%22picture%22:%7B%22essential%22:false%7D,%22gender%22:%7B%22essential%22:false%7D,%22birthdate%22:%7B%22essential%22:false%7D%7D,%22id_token%22:%7B%7D%7D&display=page&prompt=consent&max_age=21&claims_locales=en&ui_locales=langCode
The user can then validate what information they want to share, and that information is returned to the application.
The overall flow is managed by the ID BB (MOSIP)
Ain: How does MOSIP know about the other services/applications? There must be some kind of mechanism for service and organization discovery.
How does someone withdraw consent - or when does the consent end?
Consent is connected to a particular scope/access token
How would we manage workflow that would involve multiple other building blocks or that doesn’t start with a login/authentication? How do we manage workflow beyond authentication?
There are extensions within OpenID connect that could be used
Token can be used to pass consent or authorization to other building blocks
ID BB has an introspection API that can be used to validate a user and token
Still need to figure out how to coordinate work between multiple building blocks - how is work orchestrated between all participating BBs
The Workflow BB can manage flows between BBs - can automate any back-end process. However, many existing platforms (ID, etc) probably already have some flows already built in and integrated.
GovStack should provide guidance (“recommended processes”) on when to use a generic Workflow engine vs. when to use something that is already integrated into ID or another building block.
From Taylor:
recommended process:
start when request with BLAH is made to X
make request to Y to get token Z
make new request to A to ...
send response to callback API found in B...
this is a process that could be carried out by a workflow engine. in most cases it does NOT make sense to have the standard oauth2 flow done here
but outside that oauth flow, lots of process can be defined