A leading ﬁntech company built a modern Authz and Authn platform making it go global and helping it launch new applications as well as seamless partner integrations.
Gravitee APIM and AM, JWT, Java 11+, Spring Boot, Spring Security, AWS, MySQL, Docker, Bitbucket, OAuth 2.0, Swagger, Liquibase, DocumentDB, Vertx, jOOQ
Identity and Access Management
Tide (Tide Platform Limited) is a UK financial technology company providing mobile-first banking services for small and medium-sized enterprises. It enables businesses to set up a current account and get instant access to various financial services (including automated bookkeeping and integrated invoicing).
At present, Tide offers a savings bank account, provided by RBL Bank which is regulated by the Reserve Bank of India (RBI). With over 1 in 20 small business owners in the UK banking with us, we’re ready to go global and empower entrepreneurs just like you.
Since there was an urgency to implement the new Platform because of many new features and services being ready to be launched in new features, it was decided that the preference would be given to an off-the-shelf product rather than implementing a solution from the beginning. The major challenge in identifying the right product was that it should support customization to a level where it can support custom implementations relevant to the business. Gravitee is an upcoming solution that has an open-source as well as enterprise version. Gravitee offers both API Management and Access Management solutions and the great thing about Gravitee solutions is its extensibility where we are able to create our own plugins with our custom functionality and integrate it easily. The Gravitee API Management solution provides
Similarly, the Access Management solution is also rich in features like
Knoldus started building the custom plugins as well worked on the User Management Service and the allied services to build the complete Authentication and Authorization Platform for Fintech.
The details of the major components that constituted the Platform have been described in the next section.
This diagram shows all the key interactions between the APIM Gateway, AM Gateway, user clients, and associated services/infrastructure.
AM Gateway (Access Management Service)
The AM gateway is one of the core components of the Tide platform. The AM gateway is a unified service for access and identity management. The underlying core of the AM Gateway is based on a reverse proxy architecture. The API Gateway routes HTTP web traffic to protected applications enabling close inspection, transformation, and filtering of each request. For API requests, the AM Gateway can authenticate and authorize users and services connecting to the API gateway, ensuring protected applications that are secured by leveraging OAuth2 and OpenID.
API Management Service
APIM gateway provides the complete functionality of API Gateway and API Management, some of the key attributes are API deployments and routing and providing necessary proxy settings. The API gateway calls out to the AM Gateway for token introspection.
Custom plugins to enrich the tokens for the APIs
- Service Plugins – Custom plugins are used to handle the incoming requests and process them through the Vertx event handler by invoking the relevant processor.
- Policy Plugin – A custom plugin used to convert the front-end token to relevant backend tokens which are used to access the backend APIs.
User Management Service
- A Spring Boot service for providing support for the management of users and their access to resources. This service accepts the backend tokens and, after verifying them, gives access to the requested API.
- This service deals with the various roles and permissions assigned to the user and acts accordingly.
- This service also interacts with the AM gateway APIs directly.
Amazon DocumentDB is a scalable, highly durable, and fully managed database service for operating mission-critical MongoDB workloads.
Migration of Legacy Users
For migration of the Legacy user JIT (Just In Time) approach was used, which in simple words is to migrate the user when he is trying to access the new system. So with this implementation, when a user attempts to log into the application, the user is searched on the new platform and if it is found, then try to authenticate the user against the new user management system. If it’s successfully authenticated, let them in. Otherwise, reject their login because they have invalid credentials. If the user doesn’t exist, check if the user is in Legacy Mapping data and if it exists there, use the Legacy IDP provider to validate that the user, and if it is authenticated, then commission the user in the new Platform.
The end result was a highly secured, performant, extensible, and scalable new Auth platform enabling Tide to go global and able to launch many new products tailored to multiple markets with zero or minimal effort for AuthN and AuthZ. Having initiated this project in spring 2020, we went live in only two months with 100% production traffic, just as new sign-ups were accelerating due to COVID-19. We were able to accelerate and offer rich multi-user access at the start of 2021, less than a year since the initial project started.
Some of the key benefits other than the above are given below.
The flexible solution designed by the team enables secured communication between the various components saving a significant amount of time and money. This process has enabled us to become future-ready.