Usage: SSO Browser App w/ User to Resource Server Requirements

Owned by Steven Maglio
Last updated: Jul 11, 2018
2 min read
Project TitleCampus API Gateway
Target Release
Epic
Document Status
DRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background & Business Value

This is the same use case as Usage: SSO Enabled Application w/ User to Resource Server Requirements, except that the Browser (instead of the Web Application Server) will be making calls directly to the API Gateway. As such, this means that the Web App Authentication/Access Token will need to be available within the browser. This is a security risk as browsers are insecure endpoints. The Campus API Gateway team would not suggest using this scenario and would alternatively suggest using the scenario described in Usage: SSO Enabled Application w/ User to Resource Server Requirements. However, if the risk is acceptable to your application, then ...

Real World Scenario: An SSO Enabled browser application needs to update the registration status for a given student. The browser application will need to call through the API Gateway to the Registrations service. The Registrations service will need to know who the client application is in order to limit the scope of students that can be updated (ie. the Engineering web app call only look up Engineering students). Since this is an update, the audit log will also need to show who the user was that made the update. The user isn't used for access scoping, just audit logging.

Alternate Future Scenario: An SSO Enabled student created browser application needs to retrieve registrations information for a given student. The browser application will retrieve information on behalf of the student who has logged in; and only that students information. The student created web application will need to call through the API Gateway to the Registrations service. The Registrations service will need to know who the client application is and who the logged in student is in order to limit the scope of information to only the logged in students information. The web application and user information will be needed in order to limit access.

Goals

Out of Scope

Assumptions

Requirements

Must meet all requirements of Usage: SSO Enabled Application w/ User to Resource Server Requirements

Ticket(s)TitleUser StoryPriorityNotes

Access Tokens used in BrowserAs an Application Developer, the authentication/access tokens generated by the authentication system will need to be used from the browser.MUST HAVE





User Interaction, Design & Architecture


Please refer to Usage: SSO Enabled Application w/ User to Resource Server Requirements for a comparison with the standard use case.


Please refer to Usage: Browser to Campus API Gateway Requirements for a comparison of how a Browser changes the standard usage of the Authentication/Access Token.


Examples and References

Same as Usage: SSO Enabled Application w/ User to Resource Server Requirements


Questions

Below is a list of questions to be addressed as a result of this requirements document:

QuestionOutcomeDecision Date