Overview :
...
Existing request | New request |
---|---|
channel | State ID |
userName | External User ID |
firstName | External school (org) ID |
lastName | Name |
phone | Roles |
phone/email |
...
New JWT token will have version as well, Based on incoming version it will be identified as old implementation or new implementation. Request body will be mapped as follow.separate endpoint see the design and description Single-Sign-On with DIKSHA for Partners.pdf
Existing JWT | New JWT |
---|---|
{ "jti": "261263cd-3a0e-4aee-8faf-6d9d9eb14bb1", "iss": "c4923f5285ff447cbf13805423a1e98a", "sub": "manzarul07+110332", "aud": "https://staging.ntp.net.in", "iat": 1499405029, "exp": 1599405029, "name": "Harish kumar Gangula", "email": "t4harishkumar16@test.com", "email_verified": true, "phone_number": "8884930864", "phone_number_verified": true, "redirect_url": "https://staging.ntp.net.in/profile" } | { "version":"v1" // added newly |
Request key | Mapped |
---|---|
State ID | channel |
External User ID | externalId (identify of user within state system) |
External school (org) ID | org external id |
Name | FirstName |
externalIdProvider (Under which system it's unique. here it's state, so provider will be channel) | |
externalIdType (Type of externalId, example: PAN Card) |
...
Once user is created using SSO , caller can make another api call to assign roles.
URI: /user/v1/role/assign
Code Block | ||||
---|---|---|---|---|
| ||||
{ "request": { "userId": "", "organisationId": "", "roles": [ "CONTENTCREATOR", "CONTENTREVIEWER", "CONTENTCURATION", "FLAGREVIEWER" ] } } |
...
As in SSO workflow , caller is checking if user phone is not associated with profile then ask user to complete phone number verification and then do profile update. It means during getUserByIdentity they need maskPhone as well.
After having design discussion following changes required:
1. To identify user by externalId , caller will user below endpoint:
user/v1/private/read/externalId?provider=providervalue?&idType=idTyeValue
* This api will not be expose outside and it won't required any token.
* This api will return mask phone and mask email as well.
2. Mark all Old SSO user phone as phone verified.
3. IdType is mandatory as of now.
4. later phone and email both need to be moved under user externalId table, so that any search via user externalId will be happen with this table only. (not in release-1.14 sprint 1)
5. Write an ETL job that will connect with postgresql , take all userId and update those userId inside cassandra under user→loginId filed as encrypted.