SaFi Bank Space : IAM for Back Office (Technical)

Created by Norbert Bérci (Unlicensed), last modified on Nov 23, 2022

Bank user login

BOFE is integrated with Okta by OAuth2/OIDC.

Tokens are requested by BOFE SPA, we use the Authorization code + PKCE flow https://developer.okta.com/docs/guides/sign-into-spa-redirect/react/main/

We want to use short-lived tokens, because:
1) Okta doesn’t support back-channel logout, so in case of deactivating user in Okta Dashboard or user logging out in Okta, user would stay authenticated in our backend systems for much longer

2) Storing tokens on client (especially in LocalStorage) poses security risk of leaking those tokens and if they’re short-lived it lowers the risk of token leakage

Validity of access_tokens is 60 minutes and refresh_tokens must be used in every 8 hours otherwise the user need to re-authenticate.

High level description of how integration looks like:

  1. Client doesn’t have valid access_token. This is case if:

    1. Access token is not present in Local Storage

    2. Access token is invalid (can be checked by the user info endpoint of OKTA)

  2. If client has refresh_token, try refreshing the access_token (https://developer.okta.com/docs/guides/refresh-tokens/main/#renew-access-and-id-tokens-with-spas)

  3. If client does not have the refresh token (neither a valid access token), then the user should log in.

  4. Then you can use the token with request to APIs

  5. When user want’s to logout, follow https://help.okta.com/en-us/Content/Topics/Apps/Apps_Single_Logout.htm section “Enable SLO for OIDC integrations”, before redirecting user to Okta delete all tokens from LocalStorage.

OIDC configuration

Our OIDC Provider URL is https://safibank.okta.com/ and it supports OIDC auto-discovery.

If using auto-discovery can’t be used, the endpoints are:

  • Authorization endpoint: https://safibank.okta.com/oauth2/v1/authorize

  • Token endpoint: https://safibank.okta.com/oauth2/v1/token

All other IDs and credentials can be fetched from OKTA.

Client Secret is not needed, because BOFE is Single-Page Application and we’re using Authorization code + PKCE flow.

We also need to specify redirect URLs for the application in Okta. For dev environment we also allow localhost URLs to allow for local development.

Getting user information

iam-manager service is able to query up-to-date information about users from Okta which is added to the token (custom claims).

Currently we plan to implement these endpoints:

/bank-user/{uid} → returns user profile (name, email, groups, …)

/bank-user/{uid}/checkers → list of checkers for given user, with information which one is the primary checker

/bank-user/{uid}/makers → list of makers for a given user: SM-5514 - Devise a way to list makers for a given checker To Do

For more details please refer to the Swagger doc: https://iam-manager.apps.brave.safibank.online/swagger/views/swagger-ui/#/