Skip to content

UvA-FNWI/SecureEduIdInviteProxy

Repository files navigation

Secure EduId Invite Proxy

Overview

The Secure EduId Invite Proxy is a service that acts as an intermediary between applications and the EduId invitation API. It solves a critical security limitation in the EduId platform, which does not natively support role-based differentiation for API tokens.

In the EduId system, a single API token grants permission to invite users for any role. This proxy service adds a security layer that ensures applications can only invite users with specific roles that are coupled to their respective API tokens.

Key Features

  • Role-Based Token Authorization: Maps specific API tokens to specific roles, ensuring applications can only invite users for their authorized roles
  • Request Validation: Validates incoming invitation requests to ensure they contain exactly one role identifier
  • Transparent Proxying: Forwards valid requests to the EduId Invitation API with appropriate authentication
  • Comprehensive Auditing: Logs all invitation operations with detailed information for security and compliance purposes
  • Azure Monitor Integration: Optional integration with Azure Application Insights for monitoring and logging
  • Kubernetes Ready: Includes Helm charts for deployment to Kubernetes environments

Architecture

The solution follows a vertical slice architecture with clear separation between:

  • Infrastructure: Configuration, monitoring, and external service connections
  • Persistence: Audit logging and data storage
  • Presentation: API endpoints and DTOs

Configuration

The application uses the standard .NET configuration system with the following key sections:

Role API Tokens

Maps role IDs to their corresponding API tokens:

{
  "RoleApiTokens": {
    "Tokens": {
      "role-id-1": "api-token-for-role-1",
      "role-id-2": "api-token-for-role-2"
    }
  }
}

EduId Configuration

Configuration for the EduId API:

{
  "EduId": {
    "BaseUrl": "https://api.eduid.example.com",
    "ApiToken": "your-eduid-api-token"
  }
}

Azure Monitor Configuration (Optional)

Configuration for Azure Application Insights:

{
  "AzureMonitor": {
    "ConnectionString": "your-application-insights-connection-string"
  }
}

API Endpoints

Create Invitation

POST /api/external/v1/invitations

Headers:

  • X-API-TOKEN: The API token for the specific role

Request Body:

{
  "roleIdentifiers": ["role-id"],
  "invites": ["[email protected]", "[email protected]"]
}

Response:

  • 200 OK: Invitation created successfully
  • 400 Bad Request: Invalid request (e.g., multiple role identifiers)
  • 401 Unauthorized: Invalid API token
  • 500 Internal Server Error: Error from the EduId invitation service

Deployment

The service can be deployed as a Docker container or to a Kubernetes cluster using the provided Helm charts.

Docker

docker build -t secure-eduid-invite-proxy .
docker run -p 8080:80 secure-eduid-invite-proxy

Kubernetes (Helm)

helm install eduidproxy ./charts/eduidproxy

Development

Prerequisites

  • .NET 9.0 SDK
  • Docker (optional)
  • Kubernetes and Helm (optional for deployment)

Building

dotnet build

Running

dotnet run --project UvA.SecureEduIdInviteProxy

Testing

dotnet test

Security Considerations

  • API tokens should be kept secure and rotated regularly
  • All invitation operations are logged for audit purposes
  • The service validates that only one role can be specified per invitation request
  • IP addresses of clients are logged for security tracking

License

[Specify your license here]

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •