June 16, 2023 Architecture Team Meeting Notes

June 16, 2023 Architecture Team Meeting Notes


@Aleksander Reitsakas

@Mauree, Venkatesen

@Taylor Downs

@Uwe Wahser

@Aare Laponin



@Steve Conrad









Management of UX switching


40 minutes

Context - payments BB onboarding new users (after eligibility determination). Registration BB will send message with link that will direct to a UX provided by Payments for the user to enter financial details (account #, etc)

Jaume: standard process is that the UX should always be provided by the application, not by individual BBs.

  • You should have to authenticate on the external platform before entering information

Ramkumar: what should the mechanism be? Iframe/embedding or redirection?

Do we need to pass a token when switching UX? How does OIDC handle this? How do we know what user/screen to return to?

2 scenarios - one is self-directed (I am managing the flow on my own), the other is operator-assisted


Registration - needs to hand over UX to payment. Provides redirect link. Information entered in payment UX. How do we return? Do we need a return URL along with a token that identifies the user/session as well as information on the success/failure of the transaction?

  • Do we require the user to authenticate on the external UX?

Aleksander - do we need an SSO mechanism?

Is there a difference between synchronous and async? Synchronous - user is going directly from registration to payments. Async - registration sends an SMS link to mobile and user accesses outside of the context of the app

  • Sync can happen using UX redirection

  • Async requires backend calls to tell calling BB that data has been collected

Jaume - we need to track consent/authorization being given and for how long (this is different than consent BB functionality)

  • Async should follow the same process as the synchronous flow

Ramkumar to map out async flow. Ingmar to develop sync flow (biometric authentication or authorization)

Authorization of systems


10 minutes

User authenticates into an application. After that, authorization should be system to system

Aare: authorization of system is different than authorization of organization

Need a clear documentation of the layers and how an application consumes those layers. GovStack is the lower layers



@Steve Conrad

15 minutes

How should we define Capabilities?

Document from Jaume: https://docs.google.com/presentation/d/11zg0PQQKbpWFxwAc_oK12iM83ax8hUpBqlJHwB-kLGk/edit#slide=id.g1ab9444641b_0_218

Next steps/AOB

@Steve Conrad

5 minutes

What should we prioritize?

Action Items

Related content