A leading ﬁntech company built a modern Authz and Authn platform making it go global and helping it
launch new applications as well as seamless partner integrations.
The current web access management (WAM) and single sign-on (SSO) that Tide have was rudimentary and for the growing needs of the enterprise where many new requirements have surfaced like: managing access to an enterprise's web APIs, not just web apps, Multifactor Authentication, Biometrics, Integration with 3rd Party Partners and ever-evolving roles and scopes it was quite insufficient. The system for managing this type of access had a number of challenges
Knoldus worked with Tide on the complete modernization of the legacy web-based access management system to provide a state-of-the-art AuthZ and AuthN platform for secure communication with the external as well as internal systems. We wanted to implement it faster and the right way was to use an off-the-shelf system that can be customized according to the needs of the company. After much research, we were able to finalize Garvitee APIM and Access Management solution as the requisite tooling to build the platform.
Since there was an urgency to implement the new Platform because of many new features and services being ready to be launched in new features it was decided that the preference will be given to an off-the-shelf product rather than implementing a solution from the beginning. The major challenge in identifying the right product was that it should support customization to a level where it can support custom implementations relevant to the business. Gravitee is an upcoming solution that has an open-source as well as enterprise version. Gravitee offers both API Management and Access Management solutions and the great thing about Gravitee solutions is its extensibility where we are able to create our own plugins with our custom functionality and integrate it easily. The Gravitee API Management solution provides
Similarly, the Access Management solution is also rich in features like
Knoldus started building the custom plugins as well worked on the User Management Service and the allied services to build the complete Authentication and Authorization Platform for Fintech.
The details of the major components that constituted the Platform have been described in the next section.
This diagram shows all the key interactions between the APIM Gateway, AM Gateway, user clients, and associated services/infrastructure.
AM Gateway (Access Management Service)
The AM gateway is one of the core components of the Tide platform. The AM gateway is a unified service for access and identity management. The underlying core of the AM Gateway is based on a reverse proxy architecture. The API Gateway routes HTTP web traffic to protected applications enabling close inspection, transformation, and filtering of each request. For API requests, the AM Gateway can authenticate and authorize users and services connecting to the API gateway, ensuring protected applications that are secured by leveraging OAuth2 and OpenID
API Management Service
APIM gateway provides the complete functionality of API Gateway and API Management, some of the key attributes are API deployments and routing and providing necessary proxy settings. The API gateway calls out to the AM Gateway for token introspection.
Custom plugins to enrich the tokens for the APIs
- Service Plugins – Custom plugins are used to handle the incoming requests and process them through the Vertx event handler by invoking the relevant processor.
- Policy Plugin – A custom plugin used to convert the front-end token to relevant backend tokens which are used to access the backend APIs.
User Management Service
- A Spring Boot service for providing support for the management of users and their access to resources. This service accepts the backend tokens and after verifying them gives access to the requested API.
- This service deals with the various roles and permissions assigned to the user and acts accordingly.
- This service also interacts with the AM gateway APIs directly.
Amazon DocumentDB is a scalable, highly durable, and fully managed database service for operating mission-critical MongoDB workloads.
Migration of Legacy Users
For migration of the Legacy user JIT (Just In Time) approach was used which in simple words is to migrate the user when he is trying to access the new system. So with this implementation when a user attempts to log into the application, the user is searched on the new platform and if it is found, then try to authenticate the user against the new user management system. If it’s successfully authenticated, let them in. Otherwise, reject their login because they have invalid credentials. If the user doesn’t exist check if the user is in Legacy Mapping data and if it exists there use the Legacy IDP provider to validate that the user and if it is authenticated, then commission the user in the new Platform.
The flexible solution designed by the team enables secured communication between the various components saving a significant amount of time and money. This process has enabled us to become future-ready.
The end result was a highly secured, performant, extensible, and scalable new Auth platform enabling Tide to go global and able to launch many new products tailored to multiple markets with zero or minimal effort for AuthN and AuthZ. Having initiated this project in spring 2020, we went live in only two months with 100% production traffic, just as new sign-ups were accelerating due to COVID-19. We were able to accelerate and offer rich multi-user access at the start of 2021 less than a year since the initial project started.
Some of the key benefits other than the above are given below