June 16, 2023 Architecture Team Meeting Notes

Attendees

@Aleksander Reitsakas

@Mauree, Venkatesen

@Taylor Downs

@Uwe Wahser

@Aare Laponin

@Jaume DUBOIS

@PSRAMKUMAR

@Steve Conrad

Apologies

 

 

 

Agenda

Presenter

Duration

Discussion

Management of UX switching

@PSRAMKUMAR

40 minutes

Context - payments BB onboarding new users (after eligibility determination). Registration BB will send message with link that will direct to a UX provided by Payments for the user to enter financial details (account #, etc)

Jaume: standard process is that the UX should always be provided by the application, not by individual BBs.

  • You should have to authenticate on the external platform before entering information

Ramkumar: what should the mechanism be? Iframe/embedding or redirection?

Do we need to pass a token when switching UX? How does OIDC handle this? How do we know what user/screen to return to?

2 scenarios - one is self-directed (I am managing the flow on my own), the other is operator-assisted

 

Registration - needs to hand over UX to payment. Provides redirect link. Information entered in payment UX. How do we return? Do we need a return URL along with a token that identifies the user/session as well as information on the success/failure of the transaction?

  • Do we require the user to authenticate on the external UX?

Aleksander - do we need an SSO mechanism?

Is there a difference between synchronous and async? Synchronous - user is going directly from registration to payments. Async - registration sends an SMS link to mobile and user accesses outside of the context of the app

  • Sync can happen using UX redirection

  • Async requires backend calls to tell calling BB that data has been collected

Jaume - we need to track consent/authorization being given and for how long (this is different than consent BB functionality)

  • Async should follow the same process as the synchronous flow

Ramkumar to map out async flow. Ingmar to develop sync flow (biometric authentication or authorization)

Authorization of systems

@Jaume DUBOIS

10 minutes

User authenticates into an application. After that, authorization should be system to system

Aare: authorization of system is different than authorization of organization

Need a clear documentation of the layers and how an application consumes those layers. GovStack is the lower layers

 

Capabilities

@Steve Conrad

15 minutes

How should we define Capabilities?

Document from Jaume: GovStack release capabilities

Next steps/AOB

@Steve Conrad

5 minutes

What should we prioritize?

Action Items