Versions Compared

Old Version 5

changes.mady.by.user Rahul Kumar

Saved on

compared with

New Version 6

changes.mady.by.user Rahul Kumar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
nopaneltrue
POST /v1/masterkey/verify

Request body : 

{
	request : {
		"key" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw"
	}
}

Response body : (Success) 200

{
  "id": "api.masterkey.verify",
  "ver": "v1",
  "ts": "2019-01-29 09:17:31:909+0000",
  "params": {
    "resmsgid": null,
    "msgid": "9db786d3-45c2-447d-b657-f9768da15652",
    "err": null,
    "status": "success",
    "errmsg": null
  },
  "responseCode": "OK",
  "result": {
  		"channel": "sunbird",
  		"consumer": "DikshaImplTeam",
  		"createdBy": "00dd6646-be73-4fb0-b676-ccd01bda085e",
  		"createdOn":1516239022,
  		"expiresOn":1516249025,
  		"orgId": "01262366359399628812"
	}
}

Response body : (Error) 400

{
    "id": "api.masterkey.create",
    "ver": "v1",
    "ts": "2018-01-29 11:12:31:853+0000",
    "params": {
        "resmsgid": null,
        "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf",
        "err": "INVALID_KEY",
        "status": "INVALID_KEY",
        "errmsg": "Provided key for channel sunbird is invalid"
    },
    "responseCode": "CLIENT_ERROR",
    "result": {
        }
}



approach 2:

In previous approach we are considering a master key which will be expired after certain duration. But it can be modified to include a refresh token which can be used to generate a new master key.  Note that refresh token has it's own expiry, post that it requires to create a new master key and refresh token by create API call.

The benefit of this is that it helps in mitigate leaking of master key by making the expiry duration of short intervals. 

No Format
nopaneltrue
POST /v1/masterkey/create

Request body : 

{
	request : {
		"channel" : "sunbird"
	}
}

Response body : (Success) 200

{
  "id": "api.masterkey.create",
  "ver": "v1",
  "ts": "2019-01-29 09:17:31:909+0000",
  "params": {
    "resmsgid": null,
    "msgid": "9db786d3-45c2-447d-b657-f9768da15652",
    "err": null,
    "status": "success",
    "errmsg": null
  },
  "responseCode": "OK",
  "result": {
		"key" : "1fb786d3-45c2-447d-b657-f9768da15348",
		"expiresOn":  120,
		"refreshToken": "3ab586d3-45c2-447d-b657-g9768da13730"
	}
}

request to regenerate the key need refresh token

{
	request : {
		"channel" : "sunbird",
		"refreshToken": "3ab586d3-45c2-447d-b657-g9768da13730"
	}
}

Response body (Success : 200)

{
  "id": "api.masterkey.create",
  "ver": "v1",
  "ts": "2019-01-29 11:17:31:909+0000",
  "params": {
    "resmsgid": null,
    "msgid": "9db786d3-45c2-447d-b657-f9769da15652",
    "err": null,
    "status": "success",
    "errmsg": null
  },
  "responseCode": "OK",
  "result": {
		"key" : "3gh686e3-45c2-447d-b657-b3364da84351",
		"expiresOn":  120,
		"refreshToken": "3ab586d3-45c2-447d-b657-g9768da13730"
	}
}

There would be a TTL on the refresh token, so as the entry gets removed after refresh token expiry and then it would require to create a fresh entry.

get API response

No Format
nopaneltrue
{
  "id": "api.masterkey.create",
  "ver": "v1",
  "ts": "2019-01-29 11:18:31:909+0000",
  "params": {
    "resmsgid": null,
    "msgid": "9db786d3-45c2-447d-b657-f9769da15652",
    "err": null,
    "status": "success",
    "errmsg": null
  },
  "responseCode": "OK",
  "result": {
		"key" : "3gh686e3-45c2-447d-b657-b3364da84351",
		"expiresOn":  30,
		"refreshToken": "3ab586d3-45c2-447d-b657-g9768da13730"
	}
}

Response for expired key : (Error) 400

{
    "id": "api.masterkey.create",
    "ver": "v1",
    "ts": "2018-01-29 11:21:31:853+0000",
    "params": {
        "resmsgid": null,
        "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf",
        "err": "INVALID_KEY",
        "status": "INVALID_KEY",
        "errmsg": "Either the key doesn't exists or it has been expired"
    },
    "responseCode": "CLIENT_ERROR",
    "result": {
        }
}

Table structure

...

custom generated key and storing it in DB

The API structure remain same, however the custom generated key is store in DB, It also needs to be indexed.

able Structure

columntypedescription
channel*textconsist user provide channel name
consumer*textprovided by user
orgIdtextprovided by user or root org id mapped with channel
keytextholds custom generated key
createdbytextuser id who created the master key
createdontimestampcreated time
expiresontimestampwhen the token will be expired
lastUpdatedBytextuser who updated the token
lastupdatedOntimestamptime when token was updated


approach 3:

Using keycloak to generate an verify token to be used as masterkey.

This approach has below drawbacks

  1. This cannot be based on channel and consumer
  2. the expiry time is fixed in keycloak

However It is comparatively faster to implement.