How do these elements work collectively?
The principle roles and obligations of every of the three elements are fairly clear, however there’s a sure diploma of flexibility on easy methods to orchestrate the interactions between the elements, and which part performs which perform when there’s an overlap of performance between them.
Google Cloud has examined the next interplay patterns:
On this interplay sample, Apigee interacts with each the consent administration service and the identification platform, coordinating finish consumer authentication with the identification platform, and authorization and consent with the consent administration service. Apigee acts because the “dealer” between customers, their identification, and their consent.
On this case, the consent administration service manages all of the interactions with the identification administration platform, and the identification platform acts because the “dealer”. Apigee solely interacts with the consent service.
The three elements share a standard pool of consumer apps and finish customers. One of many elements is often designated because the supply of reality for these entities, whereas the opposite elements that must learn about these entities synchronize that info from the supply of reality.
The identification platform is often the supply of reality for finish consumer identities and the consent administration part will synchronize that info by pulling it from the identification platform.
The consent administration service is the supply of reality for consumer opt-in and present consent standing. Apigee will both examine with the service the validity of a consent each time a request comes via, or to make it extra environment friendly, it’s going to validate the principle attributes of the consent based mostly on info saved in Apigee. To take care of consistency, the consent administration service ought to inform Apigee to invalidate any tokens related to a consent when it’s revoked by way of different means (for instance, if an finish consumer revoked consent from a consent dashboard).
For consumer apps, both Apigee or the consent administration part can act because the supply of reality, with the opposite part synchronizing the knowledge. Within the context of Open Banking specifically, requirements usually mandate that monetary establishments assist Dynamic Consumer Registration. This implies having endpoints that new purchasers can use to register themselves as purchasers for the Open Banking APIs. On this case, the synchronization of purchasers can simply be integrated into Dynamic Consumer Registration.
Let’s look now into extra element about how the three elements work together. There are two consumer journeys which can be notably related:
That is the start of the standard shopper consumer journey, when an finish consumer begins utilizing a 3rd get together app that requires entry to that consumer’s knowledge. The third get together app must authenticate itself, and request authorization to entry the consumer’s knowledge. This can set off the authentication of the top consumer and consent granting: Consent granting being the method of, the consumer authorizing the operations the app will execute on their behalf, and establishing the record of accounts on which these operations shall be carried out. The authorization is represented by an entry token, which the app might want to embrace in all subsequent requests.
That is fairly a posh journey with many steps concerned so as to make this as safe as doable. To make it simpler to grasp, we are going to simplify a number of the steps (apologies upfront to you OIDC/FAPI consultants on the market!).
At a excessive stage, these are the steps concerned on this consumer journey:
Finish consumer begins utilizing an app
The app requests permission to entry consumer’s knowledge
The identification platform (IdP) authenticates the top consumer
The consent administration service obtains consent from finish consumer
An entry token is issued for the app, encapsulating the licensed permissions, accounts, and many others. A refresh token can be issued – the entry token usually has a brief life (measured in minutes), however the app can use the refresh token, which usually lasts for much longer (days or months), so as to receive a brand new entry token with out the necessity of going via the top consumer authentication/authorization/consent course of once more.
The way in which these steps are orchestrated varies relying on the interplay sample among the many elements.
Sample #1: Apigee orchestrates all interactions
When the consumer requests permission, Apigee will file the request after which redirect the consumer app to the IdP login web page. As soon as the top consumer logs in, the IdP will return an authorization code to the callback URL that Apigee registered within the IdP configuration.
Apigee will then redirect the consumer app to the Consent Administration service, in order that the consent type is displayed. As soon as the consumer grants consent, selects the specified permissions, and selects the accounts it’s going to apply to, the Consent Administration Service will replace Apigee with the standing of the consent, by way of a callback Apigee registered within the consent configuration.
Now that the top consumer has authenticated and granted consent, Apigee can now concern an authorization code, and affiliate all the required info, as an illustration, particulars concerning the consent, the authorization code issued by the Identification Platform (IdP), the identification of the top consumer within the IdP, and many others. Apigee will return this authorization code to the consumer app by way of a callback endpoint that the app offered when registering with Apigee.
The app will then change the authorization code for an entry token. Apigee will receive an entry token from the IdP, abd replace the standing of the consent earlier than issuing an entry token to the consumer.
Sample #2: The Consent Administration Service is the middle of the Structure
In Sample #2, Apigee will solely talk with the Consent Administration Service, which acts as an authorization server for the app and also will coordinate all interplay with the IdP.
When the consumer requests permission, Apigee will ahead the request to the CMS. The CMS will file the request after which redirect the consumer app to the IdP login web page. As soon as the top consumer logs in, the IdP will return an authorization code to the callback the CMS registered within the IdP configuration.
The CMS then shows the consent type. As soon as the consumer approves the consent and selects the specified permissions and accounts it’s going to apply to, the Consent Administration Service will return an authorization code to Apigee, by way of a callback Apigee registered within the CMS configuration.
Any further, the circulation is similar as defined above. Apigee will concern an authorization code, affiliate all the required info and can return this authorization code to the consumer app by way of a callback endpoint. The app will then change the authorization code for an entry token. Apigee will receive an entry token from the CMS, earlier than issuing an entry token to the consumer.
Let’s now take a look at the opposite related consumer journey:
Entry shared knowledge
As soon as the third get together app has been licensed, it’s going to then begin requesting that finish consumer’s knowledge. For example, it could request the record of accounts or the steadiness of a specific account.
When that request goes via, a sequence of checks have to be carried out: Is that this third get together app nonetheless licensed? Has it been granted the fitting permission for the operation being requested? Is the account concerned included within the record of accounts licensed by the top consumer? Apigee can carry out all these checks by inspecting the entry token offered by the third get together app.
There’s, nonetheless, one different examine which can’t be finished just by inspecting the token. Think about for a second that in-between the consumer granting consent and the app requesting the consumer’s knowledge, the top consumer determined to revoke that consent. This could possibly be finished by different means than the app itself, as an illustration by checking all consents granted to all apps in a consent dashboard accessible by way of different channels comparable to an “Web Banking” web site. When the app requests the consumer knowledge, the token remains to be legitimate, nonetheless the consent has already been revoked. Subsequently, on this consumer journey, Apigee will examine with the Consent Administration service to examine if the consent remains to be legitimate. This provides a little bit of overhead, which may be minimized by different means. For example, one common optimization is to make it possible for the Consent Administration service asks Apigee to revoke any entry or refresh tokens related to a given consent when that consent is revoked by way of different channels. If that guardrail is in place, then Apigee can decide if a request must be allowed just by validating the entry token and utilizing the consent info saved alongside the token.
The next diagram summarizes the interactions required between Apigee and the Consent Administration part. The interplay is actually the identical in each interplay patterns.