Epic: SM-1810 - IAM: Authenticate and authorize with password or biometry Resolved
JIRA: SM-1830 - Authorize an action Done
Priority:
Effort estimate:
Review status: in preparation/ready to review/approved
As a Customer I want to be able to authorize/approve action taken by the app by verifying my registered passcode/device biometrics.
Role: Customer
Objective: Customer approves action to complete activity
Reason: Verify and confirm that customer action to be completed
Functional requirements:
Slacker as a decision point to assess the risk evaluation of operation. Based on the risk assessment, the calling service should make a decision whether or not to request step-up. Juraj M to confirm how the IAM should interact with Slacker and other teams regarding step up functionality
What actions within the app will require authorization? https://docs.google.com/spreadsheets/d/1031t_wW8QtOUZ1w_OmUov6EdW4c6RV0lDqf2FwxPj0g/edit#gid=752753723
Passcode:
Registered customer has set the passcode/password
Device Biometrics:
Customer has registered device biometrics within the app
UI requirements:
Process flow:
Execution steps:
Internal dependencies: passcode set, register/unregister device biometry
External dependencies: 3rd party prerequisites
Alternative scenarios: n/a
Acceptance criteria:
customer approves action using passcode
customer approves action using device biometry (only if device biometry is enabled beforehand - device biometry is enabled in the App in Settings tab)
If device biometry does not work, passcode is fall-back
Action is completed
Links to wireframes/UI:
Technical Assessment
Note that this flow covers signing with both the “silent” and “user presence“ keys.
HTTP Body and Headers
The HTTP Body is transmitted unmodified, so BE can expect that it receives the same data the FE generated.
Headers
Note: https://www.rfc-editor.org/rfc/rfc6648.html
Generated by app layer
safi-cuid
: Customer ID
safi-crid
: Credential ID
Generated by IAM layer
safi-stmp
: Timestamp (microsec precision, requirement: should be unique for all requests)
safi-sgn
: signature generated ba IAM (VIDA)
Signature algo & params
TBD
Implementation Details
Frontend
FE app should implement an Authorization Service that accepts the request body with the safi-cuid
, safi-crid
headers and:
adds
safi-stmp
header as a timestamp in integer form (since UTC Epoch) with microsec precisioncombines
safi-cuid
,safi-crid
,safi-stmp
and the body into a single data blob with\n
as the delimitercomputes the message signature with the VIDA
signMessage*
callsadds the signature to
safi-sgn
header
Backend
A micronaut compatible functionality should be provided that implements the flow on the right hand side of the above diagram using the HTTP headers described in the previous section and the VIDA API.
We may want to implement this in multiple steps and caching may be implemented in a later step.
Idempotency
TBD
reference: Idempotency
Attachments:
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~drawio~6203b4b4e5caff0070e2aa9c~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
~PKI request authorization.drawio.tmp (application/vnd.jgraph.mxfile)
PKI request authorization.drawio (application/vnd.jgraph.mxfile)
PKI request authorization.drawio.png (image/png)