Background
Currently content update is done by the user who created it which creates problem and is complex in scenarios where an admin want to update content by retired user. There should be an easy way to allow users to update content at the same time it should have authentication.
Problem Statement 1
What is the approach to generate the key?
Solution 1
Create JWT token with data passed upon. A JWT token will be created using secret key and below data
- channel
- name
- description
- organisationId
- createdBy
- createdOn
Solution 2
Custom generated time based key.
Pros and Cons
Key Generation Approach | Pros | Cons |
---|---|---|
JWT | no need to store the key in DB | |
Custom | method is available so negligible time consuming | key needs to be stored in db |
Problem Statement 2
What are the APIs required to manage master keys?
API Specifications
Create API
name and channel / organisationId is mandatory.
URL:
Headers:
Request Params:
Response Params:
Errors:
Sample Request and Response:
Verify API
Delete API
Problem Statement 3
What is the DB design for storing information about master keys?
Table Structure
column | type | description |
---|---|---|
channel* | text | consist user provide channel name |
name* | text | provided by user |
organisationId | text | provided by user or root org id mapped with channel |
createdBy | text | user id who created the master key |
createdOn | timestamp | created time |
approach 1 :
There should be a way to allow certain operations and for that we need to maintain master keys. These master keys would be created and stored through API by admin and would be used by anyone to bypass the current authentication mechanism.
There should be APIs to create, delete and verify the master key.
create API
Used to create a key with parameters channel, name and orgId.
POST /v1/auth/masterkey/create Request body : { request : { "channel" : "sunbird", // channel name for which master key is generated "name" : "DikshaImplTeam", // consumer name who will use the key "orgId" : "01262366359399628812" // optional orgId to make the key org specific, default value is rootOrgId of channel } } Response body : (Success) 200 { "id": "api.masterkey.create", "ver": "v1", "ts": "2019-01-29 09:17:31:909+0000", "params": { "resmsgid": null, "msgid": "9db786d3-45c2-447d-b657-f9768da15652", "err": null, "status": "success", "errmsg": null }, "responseCode": "OK", "result": { "key" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw" } } Response body : (Error) 400 { "id": "api.masterkey.create", "ver": "v1", "ts": "2018-01-29 11:12:31:853+0000", "params": { "resmsgid": null, "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf", "err": "KEY_EXISTS", "status": "KEY_EXISTS", "errmsg": "Key exists for given channel sunbird and consumer DikshaImplTeam" }, "responseCode": "CLIENT_ERROR", "result": { } }
Table Structure
Errors
status code | error code | error message |
---|---|---|
400 | INVALID_CHANNEL | Channel value is invalid |
400 | MANDATORY_PARAMETER_MISSING | Mandatory parameter {channel, name} is missing. |
400 | PARAMETER_MISMATCH | Mismatch of given parameters: channel, orgId. |
get API
POST /v1/masterkey/get Request body : { request : { "channel" : "sunbird", "consumer" : "DikshaImplTeam" } } Response body : (Success) 200 { "id": "api.masterkey", "ver": "v1", "ts": "2019-01-29 09:17:31:909+0000", "params": { "resmsgid": null, "msgid": "9db786d3-45c2-447d-b657-f9768da15652", "err": null, "status": "success", "errmsg": null }, "responseCode": "OK", "result": { "key" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw" } } Response body : (Error) 404 { "id": "api.masterkey", "ver": "v1", "ts": "2018-01-29 11:12:31:853+0000", "params": { "resmsgid": null, "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf", "err": "KEY_NOT_EXISTS", "status": "KEY_NOT_EXISTS", "errmsg": "Key does not exists for given channel sunbird" }, "responseCode": "RESOURCE_NOT_FOUND", "result": { } }
verify API
POST /v1/masterkey/verify Request body : { request : { "key" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw" } } Response body : (Success) 200 { "id": "api.masterkey.verify", "ver": "v1", "ts": "2019-01-29 09:17:31:909+0000", "params": { "resmsgid": null, "msgid": "9db786d3-45c2-447d-b657-f9768da15652", "err": null, "status": "success", "errmsg": null }, "responseCode": "OK", "result": { "channel": "sunbird", "consumer": "DikshaImplTeam", "createdBy": "00dd6646-be73-4fb0-b676-ccd01bda085e", "createdOn":1516239022, "expiresOn":1516249025, "orgId": "01262366359399628812" } } Response body : (Error) 400 { "id": "api.masterkey.create", "ver": "v1", "ts": "2018-01-29 11:12:31:853+0000", "params": { "resmsgid": null, "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf", "err": "INVALID_KEY", "status": "INVALID_KEY", "errmsg": "Provided key for channel sunbird is invalid" }, "responseCode": "CLIENT_ERROR", "result": { } }
approach 2:
custom generated key and storing it in DB
The API structure remain same, however the custom generated key is store in DB, It also needs to be indexed.
able Structure
column | type | description |
---|---|---|
channel* | text | consist user provide channel name |
consumer* | text | provided by user |
orgId | text | provided by user or root org id mapped with channel |
key | text | holds custom generated key |
createdby | text | user id who created the master key |
createdon | timestamp | created time |
expireson | timestamp | when the token will be expired |
lastUpdatedBy | text | user who updated the token |
lastupdatedOn | timestamp | time when token was updated |
approach 3:
Using keycloak to generate an verify token to be used as masterkey.
This approach has below drawbacks
- This cannot be based on channel and consumer
- the expiry time is fixed in keycloak
However It is comparatively faster to implement.