October 27, 2023 Architecture Team Meeting Notes
Attendees
@Trev Harmon
@Steve Conrad
@smita.selot
@Vasil Kolev
@Wes Brown
@PSRAMKUMAR
Apologies
Agenda | Presenter | Duration | Discussion |
ID deep dive | @Steve Conrad @PSRAMKUMAR @smita.selot | 40 minutes | We need to answer core questions about ID - whether it is only foundational, or also functional ID. How do we manage IAM/RBAC? Single Sign On? How do we handle functional IDs Ensure that we are aligned with Sandbox team Note: Information about authorization has been documented here: https://app.gitbook.com/o/pxmRWOPoaU8fUAbbcrus/s/39QVhd0jD6S29Isr7KGF/security-requirements/7-auth-services
Vasil: How does the Sandbox retrieve a foundational ID? Does the user provide their foundational ID number when registering? Or does a BB need to search/filter for a foundational ID? How do we accurately link/map between a logged in user and their foundational ID? Smita: ID BB has existing APIs for enrollment. Links provided to Sandbox team. Relating to authorization, OIDC supports this, but is not currently a part of the ID BB. Can use something like Keycloak for auth. Ramkumar: Step 1 is to register/enroll and get a foundational ID (for GovStack?). For a particular use case, user will register into that use case/program. Smita: Guidance for this functionality is provided in the ID white paper written by Smita. The ID BB should provide a ‘translation’/account mapper that can be used to access other BBs (like Payments) Trev: We need to ensure that any functionality that is required is actually defined in the spec. ID as we are talking about it here is more functional ID, and not foundational ID as generally understood. There are questions/concerns with the ‘authorizing application or use case’ scenario. Steve: Need to address the central portal question - and whether this is required Smita: Account mapping and other workflows still need to be added to the ID BB - but don’t have resources to do this at the moment. ID BB spec (based around MOSIP) does manage foundational ID. Vasil: In any third party auth, the authorizing entity has info on a person and shares it with the requesting app. Each application should not have it’s own functional ID that maps back to the foundational ID. There is missing functionality in the specs (IAM, Mapping, SSO) that keeps us from being able to build real implementations. Vasil: There should be only one login for all GovStack services. This guidance needs to be documented somewhere in GovStack - white paper from Smita, etc. |
PAERA Update | @Aare Laponin @PSRAMKUMAR | 10 minutes | Update on changes to PAERA document and progress/next steps Working draft: Ready for review and comment (Sections 1-3). Steve and Wes to review. Need to decide where this lives for the upcoming release (GitBook, linked, PDF)?
|
Prioritize future topics | @Steve Conrad | 10 minutes |
|
Future topic - Fall 2023 Manage Access Authorization to BB APIs | @Jaume DUBOIS | 30 minutes |
From Technical Committee Meeting: BBs should not own RBAC - the calling applications are responsible for it. Are we using token based authorization within the request to BB? How to get candidates bypass its own RBAC?
|
Action Items
Ramkumar to connect with Hani/Nico on infra requirements
Additional Future Topics
Define a standard set of APIs that are needed for any BB to indicate that they are running, configured and ready to use in the sandbox (or test harness). Do we need a BB registry?
Decoupling BBs into smaller pieces, as well as talking about an approach for existing products which span multiple BBs
How to articulate the different levels/scopes of building blocks - foundational/DPI, functional, and possibly application (things like eMarketplace). This should be clearly articulated in GovStack documentation. Also articulate how service blocks fit in to this paradigm.
Identify BBs that are missing/needed and develop plan to address those new BBs - get feedback from Egypt and Kenya meetings
Questions about IM from Egypt deep dive
Exchanging large amounts of data through IM (MRIs, etc)
Real-time streaming
Taylor: we'd likely need to find some experts on open-source video chat apps, see how Self-Hosting Guide - Debian/Ubuntu server | Jitsi Meet fits into the IM, and ALSO talk about things like email clients and servers
Defining user personas and journeys - outputs would be overall messaging, providing high-level guidance. How does GovStack work to deliver value.
Providing guidance on specific questions coming from country engagement
Example implementations - having BB groups work on them.