Versions Compared

Old Version 1

changes.mady.by.user BrightSign TechDocs

Saved on

compared with

New Version Current

changes.mady.by.user BrightSign TechDocs

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Extend The BSN.cloud Self API v202206 to provide the ability to sign in into a Network for Persons version 2022/06 now lets persons authenticated by external identity providers (MS Microsoft Entra ID), and using OAuth2 Access+Refresh Tokens which don’t have a context of a Network.After considering multiple options in scope of

Jira Legacy
serverSystem Jira
serverIdf62484e2-4cee-3411-9e0f-491c5739f41d
keyBCN-14292
it is decided to use KeyCloak as an access and refresh tokens without a network context, sign in to a network.

The Keycloak intermediate identity and access manager (IAM) which will replace has replaced the custom BSN.cloud Authentication Server authentication server (oa.bsn.cloud) in Person for person registration, authentication, and Password password reset workflows. The consequence of that is disappearance of User Access and Refresh Tokens User access and refresh tokens will disappear along with all Networknetwork-specific OAuth2 Scope Tokens scope tokens and claims which the existing currently used by BSN.cloud API client applications depend on. So in order to provide an equivalent functionality and allow the existing BSN.cloud API versions to be used by the new client application versions on behalf of Persons authenticated by external identity providers it is decided to extend BSN.cloud Self API and introduce a concept of a User Session.

As a pre-requisite to this task implementation KeyCloak must be configured to add the sid (Session ID) claim to all Person Access and Refresh Tokens issued by it. This sid claim value must be assigned in result of the “Authorization Code” and “Resource Owner Password Credentials” OAuth2 Grant Flows execution and kept during the Person Access and Refresh Tokens rotation during the “Refresh Token” Grant Flow execution. It is also decided to allow for the same Person to maintain multiple active Sessions but only one Refresh Token related to each of them.

The solution of this task must satisfy the following functional requirements defined in conversation with Client Team, WSS and PSS developers who interact with BSN.cloud API:

  1. retrieve the list of Networks available to a Person authenticated via KeyCloak;

  2. sign into any of the available Networks having the provided ID or Name;

  3. switch between the available Networks in scope of the same Person Session;

  4. retrieve the Network ID and Name a Person is possibly signed into in scope of the current Session;

  5. retrieve the Authorization Scope Tokens, which must be identical to OAuth2 Scope Tokens granted by BSN.cloud as a part of existing solution, granted in scope of the current Session;

  6. terminate the current Session on Person sign out.

Based on the fact that Session ID may be extracted from the Person Access Token, which must be provided in any protected BSN.cloud API method call, it was decided to keep it implicit for client applications. So in order to satisfy the listed functional requirements the following changes must be made in scope of this task:

...

modify the caller authentication workflow in BSN.cloud API and resolve Person Claims Identity based on Person Access Tokens issued by KeyCloak;

modify the request authorization workflow in BSN.cloud API and replace the OAuth2 Scope-based authorization by the identical custom check based on Authorization Scope calculated in the same way;

...

.

BrightSign has introduced the concept of a “User Session”, and the BSN.cloud Self API has been as a result of these changes:

  • (User Session) A sid (session Id) claim will be added to all person access and refresh tokens issued by Keycloak. The sid is extracted from the person access token and so will be implicit for client applications.

  • (User Session) The same person can maintain multiple active sessions but can have only one refresh token related to each session.

  • (User Session) The caller authentication workflow in the BSN.cloud API has been modified and the person claims identity is now resolved based on person access tokens issued by Keycloak

  • (User Session) The request authorization workflow in the BSN.cloud API has been modified and the OAuth2 scope-based authorization has been replaced by the identical custom check based on the authorization scope calculated in the same way.

  • (BSN.cloud Self API) The updated client applications can now retrieve the person membership information using the existing GET ~/2022/06/REST/Self/Networks/ and GET ~/2022/06/REST/Self/Users/ methods

...

implement the new /2022/06/REST/Self/Session/ resource in BSN.cloud Self API, which has the following methods:

  1. OPTIONS: for handling the pre-flight requests from browsers;

  2. GET: for retrieval of the complete set of attributes defined in the context of the current Person Session. It must provide at least the following kinds of responses:

    1. having the 200 HTTP Status Code and application/json representation of the Session Context Structure instance which includes at least the [Nullable<NetworkInfo>] Network, [string] AuthorizationScope, [DateTime] ExpirationDate, [DateTime] LastModifiedDate properties;

    2. having the 401 HTTP Status Code when the provided Person Access Token is invalid and Session ID cannot be retrieved;

    3. having the 410 HTTP Status Code when the provided Person Access Token is valid but the Session with resolved ID has been invalidated;

    4. having the 5xx HTTP Status Code and the optional Retry-After HTTP header in case of transient server-side errors;

...

implement the new /2022/06/REST/Self/Session/{key}/ resource in BSN.cloud Self API, which has the following methods:

  1. OPTIONS: for handling the pre-flight requests from browsers;

  2. GET: for retrieval of the single attribute value defined in the context of the current Person Session and addressed by a Key. The available Keys are defined statically on BSN.cloud Self API side and limited to Network and AuthorizationScope. It must provide at least the following kinds of responses:

    1. having the 200 HTTP Status Code and application/json representation of the requested attribute value, which is either [Nullable<NetworkInfo>] for Network attribute or [string] for AuthorizationCode attribute. It is also desirable to provide the Last-Modified HTTP header value equal to the timestamp of the current attribute value assignment;

    2. (desirable) having the 304 HTTP Status Code when the provided If-Modified-Since HTTP header value matches the timestamp of the current attribute value assignment;

    3. having the 401 HTTP Status Code when the provided Person Access Token is invalid and Session ID cannot be retrieved;

    4. having the 410 HTTP Status Code when the provided Person Access Token is valid but the Session with resolved ID has been invalidated;

    5. having the 5xx HTTP Status Codes and the optional Retry-After HTTP header in case of transient server-side errors;

  3. PUT: for new values assignment to the attribute addressed by a Key. It must provide at least the following kinds of responses:

    1. having the 204 HTTP Status Code and no payload in case of successful execution. It is also desirable to provide the Last-Modified HTTP header value equal to the timestamp of this operation execution on BSN.cloud Self API side;

    2. having the 400 HTTP Status Code and application/problem+json error representation in case of invalid request and any of business rules violation, including the following:

      1. a Network having the specified Id or Name does not exist;

      2. a Network having the specified Id or Name has the Status property set to "Suspended";

      3. a Person who owns the provided Access Token is not a member of a Network having the specified Id or Name;

      4. the Status of a Person in a Network having the specified Id or Name is set to "Disabled";

    3. having the 401 HTTP Status Code when the provided Person Access Token is invalid and Session ID cannot be retrieved;

    4. having the 410 HTTP Status Code when the provided Person Access Token is valid but the Session with resolved ID has been invalidated;

    5. (desirable) having the 412 HTTP Status Code when the provided If-Unmodified-Since HTTP header value does not match the timestamp of the current attribute value assignment;

    6. having the 5xx HTTP Status Codes and the optional Retry-After HTTP header in case of transient server-side errors.

According to the fact that Session ID claim value is retrieved from the Person Access Token metadata it does not make sense to call the GET ~/2022/06/REST/Self/Session/ and GET ~/2022/06/REST/Self/Session/{key}/ methods multiple times providing the same Person Access Token. In order to indicate and reduce the chance of that these methods may also set the Cache-Control HTTP header with public; max-age={TTL} value based on the remaining validity period of the provided Person Access Token. In addition to that BSN.cloud Self API may maintain an in-memory cache of these method responses. Given the fact that these methods are expected to be invoked only as a part of existing Person/User-driven workflows their invocation rate must be not higher than any other BSN.cloud Admin/Main/Self API method.

...

  • .