Method + service_name + Path
path + parameters
https://iam-manager.apps.dev.safibank.online/credential/by-customer/4ffca786-13c6-444e
https://iam-manager.apps.stage.safibank.online/credential/by-customer/4ffca786-13c6-444e
https://iam-manager.apps.dev.safibank.online/credential/by-customer?user=123&color=blue
service_name - Configurable per service (Sample)
How to handle breaking change
Backwards compatible implementation:
Option 1
- No config change required to consumers of the library
- Accept both old and new signature
- Extra validation for old and new
1. BE will have verification of message both with the old and the new (includes the URL path and the HTTP method)
2. FE to apply signing with URL path and HTTP method
3. Remove checking of old signatures for BE
Option 2
- No config change required to consumers of the library
- Accept both old and new signature
1 : FE to send another header signaling that it has used signing with URL path and HTTP method
safi-path - boolean
2 : No config checking for BE but header checking to see if it uses old or new signing
Full transition :
BE - remove safi-path checking
FE - remove sending of safi-path
Option 3
- No config change required to consumers of the library
- Accept both old and new signature
1 : FE to send another header with the new way of signing with URL path and HTTP method
safi-sign - signature with HRL path and HTTP method
safi-sgn - (old implem) will be null
2 : No config checking for BE but header checking to see if it uses old or new signing
Full transition :
BE - still using the new header safi-sign
FE - Remove sending of safi-sgn
2. Enable in sync (BE-FE), Send a slack message for everyone to update their app because it will not work.
Order of Signing
safi_cuid + safi_crid + safi_stmp + safi_chdt +safi_path + requestBody
service_name - configurable per service
safi_path = GET_/{service_name}/credential/by-customer/4ffca786-13c6-444e?user=123
Issues with PATH retrieval
Library only has access to HttpHeader and Body not the HttpRequest.
Adding of HttpRequest would require all services to update their implementation
Approach
iam-auth-lib
IamAuthenticate to introduce new endpoint that accepts httpRequest
If Interceptor has access to httpRequest this will trigger new signature checking.
increase iam-auth lib to 2.0
PR authz-lib to 2.0
implement version increase for all services (to iam-auth 2.0 and authz-lib 2.0)
FE update
PR removing old featuires and increase 3.0
PR authZ to 3.0
implement version increase for all services (to iam-auth 3.0 and authz-lib 3.0)
To be implemented
authorization-lib
Front End
Services using IamAuthentication
card-manager
transaction-history-manager
transaction-processor-manager
customer-manager
account-manager
iam-manager
pdf-generator
loan-manager
fee-manager
engagement-manager
Services using only Authorization-library
paynamics-gateway
merchants-manager
product-manager
ecpay-gateway
response-message-manager
statement-manager
Only using iam-lib
referral-manager
backoffice-manager
Attachments:
image-20221005-114002.png (image/png)
image-20221007-063716.png (image/png)
image-20221007-064118.png (image/png)