AUTHENTICATION verifies the identity of a user or service
AUTHORIZATION determines their access rights
LEVEL1 - SILENT, LEVEL2 - PRESENCE_KEY
authorizeByCustomerId
- checks if provided customer is same as authenticated customer with authentication level matchingauthorizeAndAllow
authorizes and allows access for any successfully authenticated request with authentication level matching
FE is creating the signature headers but it will be only present at the first endpoint. If the service FE called calls another service no signature headers would be passed and would be considered S2S
S2S header inserted by Istio
GET /bank-user/{uid}. (BOFE)
getUser
Service to Service Authentication ONLY
GET /bank-user/{uid}/checkers. (BOFE)
getCheckers
Get Bank User data for BO authorization decision. Team/group membership info will be used to handle permissions of Bank User. A team/group membership can limit what the Bank User can see and what actions they can take.
No reference to customerId and credentialId
Requests comes from BOFE gateway, BOFE will not call it endpoint directly.
Service to Service Authentication ONLY
POST/credential{customerId}. (FE)
Creation of credentialID
Credential ID required by Auth lib to do auth
NOT secured
GET /credential/by-customer/{customerId} (iam-library)
returns the credential IDs for a customer
used by auth-lib to authenticate
Critical since it exposes customerId and credential ID used for authentication
Service to Service Authentication ONLY
POST /face-comparison (FE)
Face comparison feature for step up
ALWAYS SILENT and ONLY for FE
POST /face-comparison/check (FE)
Face comparison feature for step up
ALWAYS SILENT and ONLY for FE
POST /notifications/token (FE)
Used for generating Ably token for FE
ONLY for FE