Overview :
Sunbird system is allowing user to login with following ways.
1. general login : In this approach user first need to register with sunbird then he/she can use their email/phone/username along with password to login.
2. Google login : User will have google account and they can use same account to login
3. State login : Some state can have their user portal, So that state can do integration with sunbird. Once integration is completed their user can be directly logged in using SSO.ticket ref:
As of now point 1 and 2 is completely done and point 3 is partially. Some of the state is already using State SSO , to login their user.
Now based on new requirement there are some changes in new request body and state user identity.
Changes in request :
| Old request | New request |
|---|---|
| channel | State ID |
| userName | External User ID |
| firstName | External school (org) ID |
| lastName | Name |
| phone | Roles |
Proposed solution 1:
New JWT token will have version as well, Based on incoming version it will be identified as old implementation or new implementation. Request body will be mapped as follow.
| Existing JWT | New JWT |
|---|---|
| { "jti": "261263cd-3a0e-4aee-8faf-6d9d9eb14bb1", "iss": "c4923f5285ff447cbf13805423a1e98a", "sub": "manzarul07+110332", "aud": "https://staging.ntp.net.in", "iat": 1499405029, "exp": 1599405029, "name": "Harish kumar Gangula", "email": "t4harishkumar16@test.com", "email_verified": true, "phone_number": "8884930864", "phone_number_verified": true, "redirect_url": "https://staging.ntp.net.in/profile" } | { |
| Request key | Mapped |
|---|---|
| State ID | channel |
| External User ID | externalId |
| External school (org) ID | organisationId |
| Name | FirstName |
Current SSO login work flow:
Here loginId is userName@channel value.
Since new structure won't have userName ,it has externalId column and now user need to be search using externalId.
Proposed Solution 1:
We already have get user by identity api. As of now this api is supported for email, phone and loginId . We can enhance this api to search user by
externalId as well.
In System we have externalId, channel, idType as combine unique key.
externalId+provider+idType , So for user search we need to always pass all three combination.
URI: /user/v1/get/externalId/externalId+"#$""channel""#$"+"idType"
– Here we are using "#$" as delimiter.
– idType will be same as channel
| Pros | Cons |
|---|---|
| No new end point required | Existing api is do search based on single attribute, which is unique always, but in case of externalId , combination of three keys are unique, so caller need to pass all three identity with some delimiter. |
Proposed Solution 2:
Instead of separating values using delimiter , we can use as follow:
URI: /user/v1/get/externalId/{externalIdValue}/channel/{"channelValue"}/idType/{"idTypeValue"}
| Pros | Cons |
|---|---|
| endpoint will clearly specify attribute and it's value | apart from externalId search , other search won't have those fields |
Proposed Solution 3:
As we have getuser by loginid post api , that api is working for loginId only, we can improve it to working for externalId search as well.
Error rendering macro 'code': Invalid value specified for parameter 'firstline'{
"request":
{
"loginId": "value of loginId"
}
}
--- changes
{
"request": {
"loginId":"",
"externalId":"",
"provider":"",
"idType":""
}
}
| Pros | cons |
|---|---|
| Since we have to find user based on three attribute combination, so post api will provide clear view of requested data. | Caller need to maintain two end point for same purpose. |
| it will have more maintenance cost. |
Problem statement :
Once user found using externalId or userName or phone , caller required it's KeyCloak userName to generate JWT token.
Existing Solution:
Once user found inside sunbird, system is making keycloak call to get userName stored inside keycloak and appending this userName, inside getUserByIdentifier response.
Caller is using same userName to generate JWT token. But problem with this approach is every time one extra call need to be made to keycloak and during heavy load time it might be single point of failure.
TO Over come with this we can do below apprach:
Approach 1:
Sunbird will write an ETL job , to collect all userName from keycloak , and then update this userName inside loginId field of user table. Once this migration completed system will use this loginId and add this key as userName in getUserByIdentifier response.
Approach 2:
Once user found in getUserByIdentifier api, system will check loginId attribute , if this value is not null or empty then decrypt it and provide inside userName. Otherwise make call to keycloak and update return userName inside cassandra as well, so that next time we don't need to make keycloak call.
Create user :
Once user is created using SSO , caller can make another api call to add user to an organisation with provided roles.
URI: /org/v1/member/add
{
"request": {
"userId": "",
"organisationId": "",
"roles": [
"CONTENTCREATOR",
"CONTENTREVIEWER",
"CONTENTCURATION",
"FLAGREVIEWER"
]
}
}
Mobile/Portal design for SSO: /wiki/spaces/DPT/pages/894369793