Hey! My name is Artem Ivlev, and I am engaged in the architecture of identification of clients of VTB Bank. Our task is to answer the question of who uses our banking service: mobile or Internet banking, voice assistant, or just one of the many offices. There are many tools for this - and I want to tell you about the formation of one of them.
Prologue
It's 2019, the bank's ecosystem is growing by leaps and bounds, and more and more we need a single entry point for customers and an identification provider. And there is only a directory of accounts and separate solutions of different teams for authentication.
We did not yet have requirements for how everything should look. At the same time, we immediately started talking about the authentication of individuals not only in the online bank, but also on the resources of partners. The same button "Enter through VTB".
This is how the entrance through VTB will look like
From this it followed that we needed to take the most universal solution and start using it. In the process of using, we could figure out what we exactly need, what functions are missing, etc.
Choosing which way to go
Having searched the Internet, smoked Gartner's magic squares, they began to look at open source solutions with support in Russia:
β’ WSO2 Identity Server
β’ Keycloak
β’ OpenAM
WSO2 , . .
WSO2 Identity Server
2019 .
(, ) β
, OAuth 2 ID- JWT, . , JWT β :
1. (HEADER) , , .
2. (PAYLOAD) β β , , .
3. (SIGNATURE) , , .
JSON Web Token (JWT)
β , . Base64.
ID- JWT : , . β . API Gateway, .
, X , , «» .
β API Gateway. , , Redis TimeToLive.
, , ? - . , , , .
«»
, Β« ""Β» (()β Β« Β»). (HttpOnly, SameSite, Secure) UUID. UUID , , CRC32, β JWT. . , , . , Β« β Β» .
,
. , , , , , -, , (, push, - ).
. , , WSO2 IS, , , API SPA.
, JSP. -, API .
- , .
- API/oauth2/token β .
- grant_type, /oauth2/token, .
. - β . , β grant type. , .
, ,
, , β - , Β« Β» . WSO2 IS .
. PostgreSQL Redis. .
:)
, , . β . ( , - ) .
β , . β .
active-active active-passive, PostgreSQL Redis. - .
β WSO2 IS. . Redis, JWT refresh-.
? SSO
WSO2 IS, , , , , .
-. . . «», « » , , . .
Β« Β»
, , , «» . . , , Β« Β» (, Β« Β», ). β .
, . . ? WSO2 IS?
, , , , β , . , β .
: SSO, .
: ? , Tarantool Data Grid?