Created by Ivan Dev, last modified on Nov 25, 2022

Method + service_name + Path


path + parameters

https://iam-manager.apps.dev.safibank.online/credential/by-customer/4ffca786-13c6-444e
https://iam-manager.apps.stage.safibank.online/credential/by-customer/4ffca786-13c6-444e
https://iam-manager.apps.dev.safibank.online/credential/by-customer?user=123&color=blue

service_name - Configurable per service (Sample)

How to handle breaking change

  1. Backwards compatible implementation:

Option 1

- No config change required to consumers of the library

- Accept both old and new signature

- Extra validation for old and new

1. BE will have verification of message both with the old and the new (includes the URL path and the HTTP method)

2. FE to apply signing with URL path and HTTP method

3. Remove checking of old signatures for BE

Option 2

- No config change required to consumers of the library

- Accept both old and new signature

1 : FE to send another header signaling that it has used signing with URL path and HTTP method

safi-path - boolean

2 : No config checking for BE but header checking to see if it uses old or new signing

Full transition :
BE - remove safi-path checking
FE - remove sending of safi-path

Option 3

- No config change required to consumers of the library

- Accept both old and new signature

1 : FE to send another header with the new way of signing with URL path and HTTP method

safi-sign - signature with HRL path and HTTP method

safi-sgn - (old implem) will be null

2 : No config checking for BE but header checking to see if it uses old or new signing

Full transition :
BE - still using the new header safi-sign
FE - Remove sending of safi-sgn

2. Enable in sync (BE-FE), Send a slack message for everyone to update their app because it will not work. 

Order of Signing

safi_cuid + safi_crid + safi_stmp + safi_chdt +safi_path + requestBody

service_name - configurable per service

safi_path = GET_/{service_name}/credential/by-customer/4ffca786-13c6-444e?user=123

Issues with PATH retrieval

Library only has access to HttpHeader and Body not the HttpRequest.
Adding of HttpRequest would require all services to update their implementation

Approach

iam-auth-lib
IamAuthenticate to introduce new endpoint that accepts httpRequest


If Interceptor has access to httpRequest this will trigger new signature checking.

increase iam-auth lib to 2.0

  1. PR authz-lib to 2.0

  2. implement version increase for all services (to iam-auth 2.0 and authz-lib 2.0)

  3. FE update

  4. PR removing old featuires and increase 3.0

  5. PR authZ to 3.0

  6. implement version increase for all services (to iam-auth 3.0 and authz-lib 3.0)

To be implemented

  1. authorization-lib

  2. Front End

  3. Services using IamAuthentication

    1. card-manager

    2. transaction-history-manager

    3. transaction-processor-manager

    4. customer-manager

    5. account-manager

    6. iam-manager

    7. pdf-generator

    8. loan-manager

    9. fee-manager

    10. engagement-manager

  4. Services using only Authorization-library

    1. paynamics-gateway

    2. merchants-manager

    3. product-manager

    4. ecpay-gateway

    5. response-message-manager

    6. statement-manager

  5. Only using iam-lib

    1. referral-manager

    2. backoffice-manager

Attachments:

image-20221005-113939.png (image/png)
image-20221005-114002.png (image/png)
image-20221007-063716.png (image/png)
image-20221007-064118.png (image/png)