search

italia / api-padigitale2026-misura1.3.1-uni-afam

Specifiche API relative alla misura 1.3.1 per l'avviso dedicato alle Università e AFAM
Creative Commons Zero v1.0 Universal
7 stars 4 forks source link

Agid-JWT-TrackingEvidence - payload mandatory fields #212

Closed nicolabeghin closed 2 months ago

nicolabeghin commented 3 months ago

Given it's not clear from documentation, can you please confirm that in Agid-JWT-TrackingEvidence payload it's required to pass over the standard token fields

thanks nicola

nicolabeghin commented 3 months ago

Claims aud,jti,iat,exp are mandatory in Agid-JWT-TrackingEvidence as per Linee Guida sull’interoperabilità tecnica delle Pubbliche Amministrazioni – Pattern di sicurezza

ref. https://github.com/link-it/govway/issues/168 image image

denismarini commented 2 months ago

Dear @nicolabeghin,

I’m pleased to hear that you found valuable information for setting up the Govway API Gateway, thank you very much for your contribute. I would like to add that it’s recommended to use the profile [ID_AUTH_REST_01] for Direct Trust with an X.509 certificate over REST in the 1.3.1 UNIAFAM Domain

Thanks

cc @mfortini

nicolabeghin commented 2 months ago

Just to confirm: as stated in official PDND docs - JWS Agid-JWT-TrackingEvidence is required along with Bearer in the HTTP headers, right?

https://docs.pagopa.it/interoperabilita-1/manuale-operativo/utilizzare-i-voucher

il fruitore fa una richiesta di dati all'erogatore: il fruitore invia quindi una richiesta all'erogatore, inserendo il voucher di PDND Interoperabilità nell'header autorizzativo Authorization secondo il flusso standard. Nella stessa chiamata, inserisce in un secondo header chiamato Agid-JWT-TrackingEvidence il JWS con le informazioni complementari

Also Agid-JWT-TrackingEvidence is part of auditing protocol AUDIT_REST_01.

image

denismarini commented 2 months ago

Dear @nicolabeghin,

In this project, you don’t need to use the Agid-JWT-TrackingEvidence token. This token is only required for the AUDIT_REST profile, which is used for specific legal use cases. The Audit profile is not needed for this project.

In the guide https://docs.pagopa.it/interoperabilita-1/manuale-operativo/utilizzare-i-voucher#trasmettere-e-tracciare-dati-complementari-alla-richiesta the second token Agid-JWT-TrackingEvidence is mentioned only to manage the added info in the communication for the audit purpose

I hope I was helpful

denismarini commented 2 months ago

Please remove the checkmark in the screenshot provided.

image
nicolabeghin commented 2 months ago

Thanks it's one check less to perform. Honestly I'm appalled this wasn't documented as not mandatory and we performed all our tests with such token since there's no indication otherwise in official documentation as reported before.

https://docs.pagopa.it/interoperabilita-1/manuale-operativo/utilizzare-i-voucher

il fruitore fa una richiesta di dati all'erogatore: il fruitore invia quindi una richiesta all'erogatore, inserendo il voucher di PDND Interoperabilità nell'header autorizzativo Authorization secondo il flusso standard. Nella stessa chiamata, inserisce in un secondo header chiamato Agid-JWT-TrackingEvidence il JWS con le informazioni complementari

So just to reiterate: there's no need at all to check additional token Agid-JWT-TrackingEvidence even if reported in the documentation?

denismarini commented 2 months ago

Dear @nicolabeghin,

I confirm that you do not need to check the additional token, Agid-JWT-TrackingEvidence.

Thank you for your feedback. We realize that the current documentation doesn't enough highlight that the standard profile for API 1.3.1 UNIAFAM should be used. Additionally, the AUDIT profile, intended for specific cases, is not enough clarified in the PagoPA documentation. We apologize for this lack of clarity. We will proceed to improve the documentation for notice 1.3.1 and contact PagoPA to request an update that clarifies these aspects, in order to avoid misunderstandings and facilitate the use of the standard flow by designers.

https://github.com/italia/api-padigitale2026-misura1.3.1-uni-afam/blob/dev/README.md#da-sapere-prima-di-iniziare-a-leggere-le-linee-guida-agli-e-service

cc @mfortini

nicolabeghin commented 2 months ago

Thanks @denismarini I appreciate the transparency. Keep up the good work!

denismarini commented 2 months ago

Hi @nicolabeghin,

Could you please confirm whether the following screenshot is from the GovWay API Gateway?

Thanks

image

nicolabeghin commented 2 months ago

Hi @nicolabeghin,

Could you please confirm whether the following screenshot is from the GovWay API Gateway?

Thanks

cannot see the image sorry!

denismarini commented 2 months ago

I am sorry, the following

image
nicolabeghin commented 2 months ago

I confirm - please note: to get "Linee Guida Modi Optional" some customizing is required in govway properties

denismarini commented 2 months ago

Thank you @nicolabeghin,

just to avoid any misunderstandings, the following details:

Since each API Gateway has its own settings, it's crucial for the PNRR 1.3.1 UNIAFAM project to configure the API Gateway to communicate using the basic profile with PDND, based on the LGModl: Profile ID_AUTH_REST_01. The guide lines in the Modl might not be be mapped 1-1 with the ApiGateway since depend on its design and its user guide. I would like to remind you that using an API gateway is not mandatory for the 1.3.1 UNIAFAM project. Whether or not to use one depends on the software architecture of the system that will integrate with the PDND. Anyway, the GovWay ApiGateway is a good chose for the most of solutions and plus it's delivered by https://developers.italia.it/