Requirements
TBD
Technical Assessment
Setup
password opt-out is a global setting and related to IAM -> store it in iam-manager
FE sends the opt-out setting (with LEVEL2 auth) to iam-manager to set this flag in IAM database for the particular customer
iam-manager request a risk assessment from slacker to approve the opt-out
Usage
FE sends the request to BE
when the domain BE checks the signature, IAM returns an extended auth struct with the password opt-out flag (not just auth level and authenticated customer id)
domain sends the request data, auth level, opt-out flag to the risk engine
risk responds with required auth level (NOTE THAT THE FOLLOWING ARE JUST EXAMPLES, NOT REQUIREMENTS)
e.g. LEVEL1 is passed, user has opted out, risk approves
e.g. LEVEL2 is passed, user has not opted out, risk approves
e.g. risk require LEVEL2 if LEVEL1 was used and user has not opted-out (or risky transaction, etc.)
e.g. risk require LEVEL3 if LEVEL2 was used (but it is a risky customer or risky transaction, etc.)
domain executes request if everything is fine or returns step-up required message to FE
(optional) FE executes step-up
LEVEL2: ask for password
LEVEL3: execute the step-up procedure (has been implemented in last sprint - SM-1811 - IAM: Authenticate and authorize with step up requirement (MVP-P1) Resolved ) and retry the request
Notes:
TX for now but solution is future proof for any other domain
FE can cache the password opt-out flag and send the first request with LEVEL2 so even the first request can succeed (depending on risk results of course)
this has no security implications because the needed level is always assessed on the BE side