November 10, 2023 Architecture Team Meeting Notes

Attendees

 

Apologies

 

 

 

Agenda

Presenter

Duration

DiscussionFo

Follow up on ID questions

@Steve Conrad

@PSRAMKUMAR

@smita.selot

@Vasil Kolev

30 minutes

Vasil to develop a document that outlines the core questions/implementation concerns that you have. From there, could you work with Smita and Trev to outline the flow/process that is needed so that we can identify any gaps in the BB specs or documentation.

 

We need to ensure that everyone is aligned on ID and Authorization - ID BB is oriented only around foundational ID, not authorization.

Do we need to create a new Authorization BB that manages SSO, JWT, screen switching, etc. Manages ID and auth across multiple applications.

Can the architecture team develop and manage this BB spec?

Aleks: Roles and permissions need to be managed in each application. Functional Identity should be managed in one place

Need functional IDs for each system, but an SSO system to link. Each application would manage functional authentication -

MOSIP has a partner auth system - links to foundational ID, and there is a functional ID for each application/system. From the functional ID, generate a JWT that can be used.

IM has a list of different systems/apps - need to keep that linked with the auth system.

 

Write up a proposal document outlining 1 or 2 scenarios for conversation/discussion.

GovStack Portal Question

@Steve Conrad

@PSRAMKUMAR

20 minutes

There have been discussions that imply that GovStack implementations would have a ‘central portal’.

  • Is this a requirement?

  • If an implementation does have a central portal, do we need to document standards?

  • How do we manage administrative portals/functions for each of the BBs in an implementation?

Explore the differences between an SSO system vs a central portal.

PAERA Update

@Aare Laponin @PSRAMKUMAR

10 minutes

Update on changes to PAERA document and progress/next steps

Working draft:

https://onedrive.live.com/Edit.aspx?resid=7B252BA6CB083436!9551&wdPid=5887d621&authkey=!AC4bdYfdJIaKi8M

Ready for review and comment (Sections 1-3). Steve and Wes to review.

Need to decide where this lives for the upcoming release (GitBook, linked, PDF)?

  • Put summary/overview in GitBook (in cross-cutting section) and then link out to full content (ie. PDF in GitHub)?

Prioritize future topics

@Steve Conrad

10 minutes

  • Capabilities and Service blocks - develop a template

  • Adaptor building block - what is it? Is it needed?

  • Articulating different levels of building blocks - foundational, functional, application.

  • Large data transfers/real-time streaming

Future topic - Fall 2023

Manage Access Authorization to BB APIs

@Jaume DUBOIS

30 minutes

  • Types of accessors checked (human, back-end systems, apps or browser, robots, hardware, ..)

  • Granularity of access control (Building block, module, API, single API service, single API service for specific tenant or data)

From Technical Committee Meeting:

BBs should not own RBAC - the calling applications are responsible for it. 

Are we using token based authorization within the request to BB?

How to get candidates bypass its own RBAC?

  1. Superuser access to be given when merging with IM backend?

  2. Or control to switch off existing RBAC in target BBs

  3. option to have api token registered in IM at max permission level for specific member entities

  4. come up with a concrete example for this case

Action Items

  • Ramkumar to connect with Hani/Nico on infra requirements

Additional Future Topics