Overview :
Sunbird system is allowing user to login with following ways.
1. general General login : In this approach user first need to register with sunbird then he/she can use their email/phone/username along with password to login.
2. Google login : User will have google account and they can use same their Google account to login in sunbird.
3. State login : Some state can have their user portal , So that state can do integration and they want to use same account inside sunbird. In that case state need to integrate with sunbird. Once integration is completed their user can be directly logged in using SSO.ticket ref:
...
| Existing request | New request |
|---|---|
| channel | State ID |
| userName | External User ID |
| firstName | External school (org) ID |
| lastName | Name |
| phone | Roles |
| phone/email |
...
New JWT token will have version as well, Based on incoming version it will be identified as old implementation or new implementation. Request body will be mapped as follow.separate endpoint see the design and description Single-Sign-On with DIKSHA for Partners.pdf
| Existing JWT | New JWT |
|---|---|
| { "jti": "261263cd-3a0e-4aee-8faf-6d9d9eb14bb1", "iss": "c4923f5285ff447cbf13805423a1e98a", "sub": "manzarul07+110332", "aud": "https://staging.ntp.net.in", "iat": 1499405029, "exp": 1599405029, "name": "Harish kumar Gangula", "email": "t4harishkumar16@test.com", "email_verified": true, "phone_number": "8884930864", "phone_number_verified": true, "redirect_url": "https://staging.ntp.net.in/profile" } | { } |
| Request key | Mapped |
|---|---|
| State ID | channel |
| External User ID | externalId (identify of user within state system) |
| External school (org) ID | org external id |
| Name | FirstName |
| externalIdProvider (Under which system it's unique. here it's state, so provider will be channel) | |
| externalIdType (Type of externalId, example: PAN Card) |
...
Once user found in getUserByIdentifier api, system will check loginId attribute , if this value is not null or empty then decrypt it and provide inside userName. Otherwise make call to keycloak and update return userName inside cassandra as well, so that next time we don't need to make keycloak call.
Create user :
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"request":
{
"firstName": "firstName+ lastname",
"email/phone": "emailOrPhone",
"channel": "channelValue",
"orgExternalId":"orgexternalId",
"externalIds":[
{
"id":"externalId",
"provider":"id Provider",
"idType" : "id provider type"
}
]
}
} |
Once user is created using SSO , caller can make another api call to assign roles.
URI: /user/v1/role/assign
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"request": {
"userId": "",
"organisationId": "",
"roles": [
"CONTENTCREATOR",
"CONTENTREVIEWER",
"CONTENTCURATION",
"FLAGREVIEWER"
]
}
} |
...
Mobile/Portal design for SSO: /wiki/spaces/DPT/pages/894369793
As in SSO workflow , caller is checking if user phone is not associated with profile then ask user to complete phone number verification and then do profile update. It means during getUserByIdentity they need maskPhone as well.
After having design discussion following changes required:
1. To identify user by externalId , caller will user below endpoint:
user/v1/private/read/externalId?provider=providervalue?&idType=idTyeValue
* This api will not be expose outside and it won't required any token.
* This api will return mask phone and mask email as well.
2. Mark all Old SSO user phone as phone verified.
3. IdType is mandatory as of now.
4. later phone and email both need to be moved under user externalId table, so that any search via user externalId will be happen with this table only. (not in release-1.14 sprint 1)
5. Write an ETL job that will connect with postgresql , take all userId and update those userId inside cassandra under user→loginId filed as encrypted.