JWT based authentication and authorization

[shashwat-egov]

DIGIT is an open source service delivery platform on which several government and private sector organisations build solutions e.g. National Urban Digital Mission leverages DIGIT for National Urban Governance Platform (UPYOG) - 28+ States have signed up to roll out UPYOG to all their urban local bodies. This will help deliver services like Property Tax, Public Grievances, Water Connection, Birth/Death Certificate etc. to all citizens.

DIGIT platform has multiple core microservices, where each microservice provides a specific functionality like authentication, authorisation, encryption, workflow etc. Service delivery applications like property tax, trade license etc. are built on top of this DIGIT platform. They internally call these core microservices to utilise the functionality provided by them. DIGIT uses zuul as the API gateway. All the request coming to the backend server passes through this gateway. It provides a centralised way of authentication and authorisation of API calls. This removes the need for each microservice to implement their own authentication and authorisation mechanism. Currently DIGIT has a stateful authentication mechanism in which the access tokens are generated and stored in Redis database. Whenever authentication request is received by the service, it checks in the Redis DB if the token is available in the Redis database. For any authentication request, a call needs to be made to the authentication server. This will have an impact on the performance and scalability.

JWTs are stateless, meaning that the server doesn't need to store any information about the token itself. This can be an advantage in terms of scalability and performance, as there is no need for the server to maintain any session state for the client. It also provides a decentralized mechanism of authentication and authorization, allowing for the authentication and authorization of requests across different systems and services without requiring a centralized authentication and authorization service.

For further reference to current DIGIT authentication and authorisation service please refer the following documentation: Authentication Authorization

Features to be implemented:

1. Integration of JWT-based authentication and authorisation mechanism with the existing DIGIT platform.
2. Development of a scalable and performant JWT token generation and verification mechanism using public and private key encryption.
3. Integration of the new JWT-based authentication and authorisation mechanism with the existing API gateway: Zuul.
4. Development of a client utility which can do authentication and authorisation of the JWT tokens. The utility can be used by third party applications to using DIGIT authentication and authorisation.
5. Implementation of multi-factor authentication (MFA) to provide an additional layer of security for user accounts.(Optional)

Learning Path:

1. Understanding the basics of JWT-based authentication and authorisation mechanism and its advantages over stateful authentication mechanisms.
2. Learning how to use open source JWT libraries and tools like JJWT, Nimbus JOSE + JWT, Auth0 JWT, etc. to generate and verify JWT tokens.
3. Understanding the key concepts of public and private key encryption and how to use them to secure JWT tokens.
4. Learning how to integrate JWT-based authentication and authorisation with existing microservices and API gateway using Zuul.
5. Learning how to implement MFA for user accounts using open-source libraries like Google Authenticator. (Optional)

Product Set Up:

1. Setting up a development environment with the required tools and libraries like Java, Spring Boot, Redis, JWT libraries, etc.
2. Setting up the few core services of DIGIT like zuul and egov-user locally for testing and development purposes.
3. Configuring the development environment with appropriate secrets, keys, and environment variables for secure JWT token generation and verification.

Acceptance Criteria:

1. Successful integration of the JWT-based authentication and authorisation mechanism with the DIGIT platform
2. Implementation of a scalable and performant JWT token generation and verification mechanism using public and private key encryption.
3. Development of a client library for user authentication and authorisation
4. Implementation of multi-factor authentication (MFA) for user accounts to provide an additional layer of security. (Not mandatory)

[KeenWarrior]

Hello @shashwat-egov, Please ensure that the following fields are filled out

• [x] Project Details
• [ ] Features to be implemented
• [ ] Learning Path
• [ ] Product Set Up
• [ ] Acceptance Criteria

You can find here description of what needs to be added in corresponding fields.

Here are sample tickets for reference.

• https://github.com/samagra-comms/inbound/issues/42
• https://github.com/Samagra-Development/odk-collect-extension/issues/39

[Shruti3004]

Hey @shashwat-egov Thanks for adding the above details. Can you please re-check the links, since I am getting the issues on it. Thanks!

[shashwat-egov]

@Shruti3004 I have updated the links now.

[Abhinav-Saxena-dev]

Hey, this issue seems interesting to me, I'll start working on it and will be sending a patch pretty soon!

[jayanth-kumar-morem]

Interested and will be drafting the application on this issue.

[sukhpreetssekhon]

@shashwat-egov - what is your Discord handle? Can you please join the C4GT Discord server as applicants will have queries that they may raise over there. Thanks

[shashwat-egov]

I have already joined. Here is my discord handle - shashwatmishra#9006

[AieshaShetty]

Hey, I would like to work on this project and will be giving an abstract on this issue soon.

[c4gt-community-support[bot]]

Hi! Mandatory Details - The following details essential to submit tickets to C4GT Community Program are missing. Please add them!

• Product Name - Please add a heading called Product Name and mention the name of the product below it.
• Tech Skills Needed - Please add relevant tech skills
• Mentors(s) Please tag the relevant mentors on the ticket
• Complexity - Please mention the complexity only as High/Medium/Low
• Category - Please add one or more of these options [CI/CD], [Integrations], [Performance Improvement], [Security], [UI/UX/Design], [Bug], [Feature], [Documentation], [Deployment], [Test], [PoC]

Without these details, the ticket cannot be listed on the C4GT Community Listing.

Important Details - These following details are helpful for contributors to effectively identify and contribute to tickets.

• Organization Name
• Domain - Area of governance
• Sub-Category - Please mention the sub-category if any for the ticket

Please update the ticket