The Secure EduId Invite Proxy is a service that acts as an intermediary between applications and the EduId invitation API. It solves a critical security limitation in the EduId platform, which does not natively support role-based differentiation for API tokens.
In the EduId system, a single API token grants permission to invite users for any role. This proxy service adds a security layer that ensures applications can only invite users with specific roles that are coupled to their respective API tokens.
- Role-Based Token Authorization: Maps specific API tokens to specific roles, ensuring applications can only invite users for their authorized roles
- Request Validation: Validates incoming invitation requests to ensure they contain exactly one role identifier
- Transparent Proxying: Forwards valid requests to the EduId Invitation API with appropriate authentication
- Comprehensive Auditing: Logs all invitation operations with detailed information for security and compliance purposes
- Azure Monitor Integration: Optional integration with Azure Application Insights for monitoring and logging
- Kubernetes Ready: Includes Helm charts for deployment to Kubernetes environments
The solution follows a vertical slice architecture with clear separation between:
- Infrastructure: Configuration, monitoring, and external service connections
- Persistence: Audit logging and data storage
- Presentation: API endpoints and DTOs
The application uses the standard .NET configuration system with the following key sections:
Maps role IDs to their corresponding API tokens:
{
"RoleApiTokens": {
"Tokens": {
"role-id-1": "api-token-for-role-1",
"role-id-2": "api-token-for-role-2"
}
}
}
Configuration for the EduId API:
{
"EduId": {
"BaseUrl": "https://api.eduid.example.com",
"ApiToken": "your-eduid-api-token"
}
}
Configuration for Azure Application Insights:
{
"AzureMonitor": {
"ConnectionString": "your-application-insights-connection-string"
}
}
POST /api/external/v1/invitations
Headers:
X-API-TOKEN
: The API token for the specific role
Request Body:
{
"roleIdentifiers": ["role-id"],
"invites": ["[email protected]", "[email protected]"]
}
Response:
200 OK
: Invitation created successfully400 Bad Request
: Invalid request (e.g., multiple role identifiers)401 Unauthorized
: Invalid API token500 Internal Server Error
: Error from the EduId invitation service
The service can be deployed as a Docker container or to a Kubernetes cluster using the provided Helm charts.
docker build -t secure-eduid-invite-proxy .
docker run -p 8080:80 secure-eduid-invite-proxy
helm install eduidproxy ./charts/eduidproxy
- .NET 9.0 SDK
- Docker (optional)
- Kubernetes and Helm (optional for deployment)
dotnet build
dotnet run --project UvA.SecureEduIdInviteProxy
dotnet test
- API tokens should be kept secure and rotated regularly
- All invitation operations are logged for audit purposes
- The service validates that only one role can be specified per invitation request
- IP addresses of clients are logged for security tracking
[Specify your license here]