Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT based authentication and authorization #77

Open
shashwat-egov opened this issue Apr 30, 2023 · 9 comments
Open

JWT based authentication and authorization #77

shashwat-egov opened this issue Apr 30, 2023 · 9 comments
Labels
C4GT Community

Comments

@shashwat-egov
Copy link
Contributor

shashwat-egov commented Apr 30, 2023
edited
Loading

DIGIT is an open source service delivery platform on which several government and private sector organisations build solutions e.g. National Urban Digital Mission leverages DIGIT for National Urban Governance Platform (UPYOG) - 28+ States have signed up to roll out UPYOG to all their urban local bodies. This will help deliver services like Property Tax, Public Grievances, Water Connection, Birth/Death Certificate etc. to all citizens.

DIGIT platform has multiple core microservices, where each microservice provides a specific functionality like authentication, authorisation, encryption, workflow etc. Service delivery applications like property tax, trade license etc. are built on top of this DIGIT platform. They internally call these core microservices to utilise the functionality provided by them. DIGIT uses zuul as the API gateway. All the request coming to the backend server passes through this gateway. It provides a centralised way of authentication and authorisation of API calls. This removes the need for each microservice to implement their own authentication and authorisation mechanism. Currently DIGIT has a stateful authentication mechanism in which the access tokens are generated and stored in Redis database. Whenever authentication request is received by the service, it checks in the Redis DB if the token is available in the Redis database. For any authentication request, a call needs to be made to the authentication server. This will have an impact on the performance and scalability.

JWTs are stateless, meaning that the server doesn't need to store any information about the token itself. This can be an advantage in terms of scalability and performance, as there is no need for the server to maintain any session state for the client. It also provides a decentralized mechanism of authentication and authorization, allowing for the authentication and authorization of requests across different systems and services without requiring a centralized authentication and authorization service.

For further reference to current DIGIT authentication and authorisation service please refer the following documentation:
Authentication
Authorization

Features to be implemented:

  1. Integration of JWT-based authentication and authorisation mechanism with the existing DIGIT platform.
  2. Development of a scalable and performant JWT token generation and verification mechanism using public and private key encryption.
  3. Integration of the new JWT-based authentication and authorisation mechanism with the existing API gateway: Zuul.
  4. Development of a client utility which can do authentication and authorisation of the JWT tokens. The utility can be used
    by third party applications to using DIGIT authentication and authorisation.
  5. Implementation of multi-factor authentication (MFA) to provide an additional layer of security for user accounts.(Optional)

Learning Path:

  1. Understanding the basics of JWT-based authentication and authorisation mechanism and its advantages over stateful authentication mechanisms.
  2. Learning how to use open source JWT libraries and tools like JJWT, Nimbus JOSE + JWT, Auth0 JWT, etc. to generate and verify JWT tokens.
  3. Understanding the key concepts of public and private key encryption and how to use them to secure JWT tokens.
  4. Learning how to integrate JWT-based authentication and authorisation with existing microservices and API gateway using Zuul.
  5. Learning how to implement MFA for user accounts using open-source libraries like Google Authenticator. (Optional)

Product Set Up:

  1. Setting up a development environment with the required tools and libraries like Java, Spring Boot, Redis, JWT libraries, etc.
  2. Setting up the few core services of DIGIT like zuul and egov-user locally for testing and development purposes.
  3. Configuring the development environment with appropriate secrets, keys, and environment variables for secure JWT token generation and verification.

Acceptance Criteria:

  1. Successful integration of the JWT-based authentication and authorisation mechanism with the DIGIT platform
  2. Implementation of a scalable and performant JWT token generation and verification mechanism using public and private key encryption.
  3. Development of a client library for user authentication and authorisation
  4. Implementation of multi-factor authentication (MFA) for user accounts to provide an additional layer of security. (Not mandatory)
@KeenWarrior
Copy link

Hello @shashwat-egov, Please ensure that the following fields are filled out

  • Project Details
  • Features to be implemented
  • Learning Path
  • Product Set Up
  • Acceptance Criteria

You can find here description of what needs to be added in corresponding fields.

Here are sample tickets for reference.

@Shruti3004
Copy link

Shruti3004 commented May 10, 2023
edited
Loading

Hey @shashwat-egov Thanks for adding the above details. Can you please re-check the links, since I am getting the issues on it. Thanks!

@shashwat-egov
Copy link
Contributor Author

@Shruti3004 I have updated the links now.

@Abhinav-Saxena-dev
Copy link

Hey, this issue seems interesting to me, I'll start working on it and will be sending a patch pretty soon!

@jayanth-kumar-morem
Copy link

Interested and will be drafting the application on this issue.

@sukhpreetssekhon
Copy link

@shashwat-egov - what is your Discord handle? Can you please join the C4GT Discord server as applicants will have queries that they may raise over there. Thanks

@shashwat-egov
Copy link
Contributor Author

I have already joined. Here is my discord handle - shashwatmishra#9006

@AieshaShetty
Copy link

Hey, I would like to work on this project and will be giving an abstract on this issue soon.

@c4gt-community-support C4GT Community Support
Copy link

Hi!
Mandatory Details - The following details essential to submit tickets to C4GT Community Program are missing. Please add them!

  • Product Name - Please add a heading called Product Name and mention the name of the product below it.
  • Tech Skills Needed - Please add relevant tech skills
  • Mentors(s) Please tag the relevant mentors on the ticket
  • Complexity - Please mention the complexity only as High/Medium/Low
  • Category - Please add one or more of these options [CI/CD], [Integrations], [Performance Improvement], [Security], [UI/UX/Design], [Bug], [Feature], [Documentation], [Deployment], [Test], [PoC]

Without these details, the ticket cannot be listed on the C4GT Community Listing.

Important Details - These following details are helpful for contributors to effectively identify and contribute to tickets.

  • Organization Name
  • Domain - Area of governance
  • Sub-Category - Please mention the sub-category if any for the ticket

Please update the ticket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C4GT Community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@sathishp-eGov @KeenWarrior @sukhpreetssekhon @Shruti3004 @jayanth-kumar-morem @shashwat-egov @AieshaShetty @Abhinav-Saxena-dev