Technology Stack

This application is written in JAVA using Spring Boot and the Spring Security Frameworks.

JSON Web Token

Basics

Ego makes use of JSON Web Tokens (JWTs) for providing users with a Bearer token.

The RFC for JWTs can be found here: https://tools.ietf.org/html/rfc7519

The following is a useful site for understanding JWTs: https://jwt.io/

The following is the structure of an ego JWT:

{
    "alg": "HS512"
}
.
{
    "sub": "1234567",
    "iss": "ego:56fc3842ccf2c1c7ec5c5d14",
    "iat": 1459458458,
    "exp": 1459487258,
    "jti": "56fd919accf2c1c7ec5c5d16",
    "aud": [
        "service1-id",
        "service2-id",
        "service3-id"
    ],
    "context": {
        "user": {
            "name": "Demo.User@example.com",
            "email": "Demo.User@example.com",
            "status": "Approved",
            "firstName": "Demo",
            "lastName": "User",
            "createdAt": "2017-11-23 10:24:41",
            "lastLogin": "2017-11-23 11:23:58",
            "preferredLanguage": null,
            "roles": ["ADMIN"]
        }
    }
}
.
[signature]
Notes
  • “aud” field can contain one or more client IDs. This field indicates the client services that are authorized to use this JWT.
  • “groups” will differ based on the domain of client services - each domain of service should get list of groups from that domain’s ego service.
  • “permissions” will differ based on domain of client service - each domain of service should get list of permissions from that domain’s ego service.

Unit Tests using testcontainers will also run flyway migrations to ensure database has the correct structure

Library Support

The Java JWT library is used in Ego for providing support for encoding, decoding, and validating JWTs: https://github.com/jwtk/jjwt

Spring-Boot

Ego is a microservice written in Java 8 and Spring-Boot. It makes use of the following parts of the Spring and Spring-Boot framework:

Swagger docs are generated by Springfox : https://springfox.github.io/springfox/docs/current/

Ego Design Notes

  1. OAuth Single Sign-On means that Ego doesn’t need to manage users and their passwords; users don’t need a new username or password, and don’t need to trust any service other than Google / Facebook.

  2. Ego lets users be in charge of the authority they give out; so they can issue secret tokens that are limited to the exact authority level they need to do a given task.

    Even if a such a token becomes publicly known, it can’t grant an outsider accesses to services or permissions that the token doesn’t have – regardless of whether the user has more authority that they could have granted.

    Tokens also automatically expire (by default, within 24 hours), and if a user suspects that a token may have become known to outsiders, they can simply revoke the compromised token, removing all of it’s authority, then issue themselves a new secret token, and use it.

  3. None of the services that use Ego uses need to manage worry about how to manage users, logins, authentication, or authorization. The end user simply sends them a token, and the service checks with Ego to learn who the token is for, and what permissions the token grants. If the permissions granted don’t include the permissions the service needs, it denies access; otherwise, it runs the service for the given user.