Agenda

Presenter

Duration

Discussion

Management of UX switching

@PSRAMKUMAR

40 minutes

Context - payments BB onboarding new users (after eligibility determination). Registration BB will send message with link that will direct to a UX provided by Payments for the user to enter financial details (account #, etc)

Jaume: standard process is that the UX should always be provided by the application, not by individual BBs.

• You should have to authenticate on the external platform before entering information

Ramkumar: what should the mechanism be? Iframe/embedding or redirection?

Do we need to pass a token when switching UX? How does OIDC handle this? How do we know what user/screen to return to?

2 scenarios - one is self-directed (I am managing the flow on my own), the other is operator-assisted

Open

Registration - needs to hand over UX to payment. Provides redirect link. Information entered in payment UX. How do we return? Do we need a return URL along with a token that identifies the user/session as well as information on the success/failure of the transaction?

• Do we require the user to authenticate on the external UX?

Aleksander - do we need an SSO mechanism?

Is there a difference between synchronous and async? Synchronous - user is going directly from registration to payments. Async - registration sends an SMS link to mobile and user accesses outside of the context of the app

• Sync can happen using UX redirection

• Async requires backend calls to tell calling BB that data has been collected

Jaume - we need to track consent/authorization being given and for how long (this is different than consent BB functionality)

• Async should follow the same process as the synchronous flow

Ramkumar to map out async flow. Ingmar to develop sync flow (biometric authentication or authorization)

Authorization of systems

@Jaume DUBOIS

10 minutes

User authenticates into an application. After that, authorization should be system to system

Aare: authorization of system is different than authorization of organization

Need a clear documentation of the layers and how an application consumes those layers. GovStack is the lower layers

Open

Capabilities

@Steve Conrad

15 minutes

How should we define Capabilities?

Document from Jaume: https://docs.google.com/presentation/d/11zg0PQQKbpWFxwAc_oK12iM83ax8hUpBqlJHwB-kLGk/edit#slide=id.g1ab9444641b_0_218

Next steps/AOB

@Steve Conrad

5 minutes

What should we prioritize?

• GERA document/review - articulate core concerns

• Workflows/Core Capabilities

• Testing with Information Mediator

• Revisit Security Specifications

• Mapping out BB interactions/domain diagrams

  • Aleksander has some resources/starting point

    • Overall structure of GovStack solution

  • Sandbox team has happy flow document that we can walk through

    • Minimum Viable Product (MVP) eg. Happy Flow