Uploaded image for project: 'GPII - Global Public Inclusive Infrastructure'
  1. GPII - Global Public Inclusive Infrastructure
  2. GPII-2434

Authenticate GPII apps before they can request user settings from GPII Cloud



    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:


      One GPII security issue is to protect the communication between native GPII apps and GPII Cloud. That means, at receiving http requests, GPII Cloud needs to ensure these requests are sent from authorized native GPII apps rather than random sources.

      After some research, OAuth2 resource owner password credentials grant is selected as the solution for this security issue: each native GPII app will be assigned an unique client credential, a pair of client id and secret. This client credential will be stored within the native GPII app. Before accessing any user information from GPII Cloud, the native GPII app needs to send the client credential to GPII Cloud where the client credential will be verified to ensure the party at the other end is an authorized GPII app.

      This JIRA is an umbrella JIRA that includes sub-task JIRAs in order to implement this design, which uses a dedicated process called "GPII access requester" to store the assigned client credential within the native GPII app and communicate with GPII Cloud to request access tokens by providing client credential.

      Related research and design documentation:

      Initial Research on Protecting Communication between Local Flow Manager and Cloud Based Flow Manager

      Continued Researches on Possible Approaches for Protecting Communication btw LFM and CBFM

      Workflows to request client credential

      Designs of Using a Dedicated Process to Protect the Client Secret Assigned to GPII Local Installation



          Issue Links

          There are no Sub-Tasks for this issue.



              cli@ocad.ca Cindy Qi Li
              cli@ocad.ca Cindy Qi Li
              0 Vote for this issue
              1 Start watching this issue