updates

Author: stevehu

.nojekyll

@@ -0,0 +1 @@
+This file makes sure that Github Pages doesn't process mdBook's output.

design/authentication-authorization.html

@@ -153,109 +153,127 @@ <h1 class="menu-title">Light Portal Documentation</h1>
                 <div id="content" class="content">
                     <main>
                         <h1 id="authentication--authorization"><a class="header" href="#authentication--authorization">Authentication &amp; Authorization</a></h1>
-<p>Light-Portal is an single page application and it uses both OAuth 2.0 Authorization Code and Client Credentials flows.</p>
-<p>The below pattern depicts the end-to-end flow recommended by the Light Platform when SPA calls downstream APIs.</p>
+<p>Light-Portal is a single-page application (SPA) that utilizes both the OAuth 2.0 Authorization Code and Client Credentials flows.</p>
+<p>The following pattern illustrates the end-to-end process recommended by the Light Platform for an SPA interacting with downstream APIs.</p>
 <h3 id="sequence-diagram"><a class="header" href="#sequence-diagram">Sequence Diagram</a></h3>
+<p>The following is the raw data that can be used to render the diagram in http://www.plantuml.com</p>
 <pre><code>@startuml
 participant "Portal View" as PortalView
 participant "Login View" as LoginView
 participant "Light Gateway" as Gateway
 participant "OAuth-Kafka" as OAuthKafka
 participant "Auth Service" as AuthService
+participant "Proxy Sidecar" as ProxySidecar
 participant "Backend API" as BackendAPI
 
 PortalView -&gt; LoginView: 1. Signin redirect
 LoginView -&gt; OAuthKafka: 2. Authenticate user
-OAuthKafka -&gt; AuthService: 3. Authenticate User\n(Active Directory\nfor Employees)\n(CIF System\nfor Customers)
+OAuthKafka -&gt; AuthService: 3. Authenticate User\n (Active Directory\n for Employees)\n (CIF System\n for Customers)
 AuthService -&gt; OAuthKafka: 4. Authenticated
 OAuthKafka -&gt; OAuthKafka: 5. Generate auth code
 OAuthKafka -&gt; PortalView: 6. Redirect with code
-PortalView -&gt; Gateway: 7. Authorization URL \nwith code param
-Gateway -&gt; OAuthKafka: 8. Create JWT access \ntoken with code
-OAuthKafka -&gt; OAuthKafka: 9. Generate JWT \naccess token \nwith user claims
-OAuthKafka -&gt; Gateway: 10. Token returns \nto Gateway
-Gateway -&gt; PortalView: 11. Token returns \nto Portal View \nin Secure Cookie
+PortalView -&gt; Gateway: 7. Authorization URL \n with code param
+Gateway -&gt; OAuthKafka: 8. Create JWT access \n token with code
+OAuthKafka -&gt; OAuthKafka: 9. Generate JWT \n access token \n with user claims
+OAuthKafka -&gt; Gateway: 10. Token returns \n to Gateway
+Gateway -&gt; PortalView: 11. Token returns \n to Portal View \n in Secure Cookie
 PortalView -&gt; Gateway: 12. Call Backend API
 Gateway -&gt; Gateway: 13. Verify the token
-Gateway -&gt; OAuthKafka: 14. Create Client \nCredentials token
-OAuthKafka -&gt; OAuthKafka: 15. Generate Token \nwith Scopes
-OAuthKafka -&gt; Gateway: 16. Return the \scope token
-Gateway -&gt; Gateway: 17. Add scope \ntoken to \nX-Scope-Token \nHeader
-Gateway -&gt; BackendAPI: 18. Invoke API
-BackendAPI -&gt; BackendAPI: 19. Verify \nAuthorization \ntoken
-BackendAPI -&gt; BackendAPI: 20. Verify \nX-Scope-Token
-BackendAPI -&gt; Gateway: 21. Return response
-Gateway -&gt; PortalView: 22. Return response
+Gateway -&gt; OAuthKafka: 14. Create Client \n Credentials token
+OAuthKafka -&gt; OAuthKafka: 15. Generate Token \n with Scopes
+OAuthKafka -&gt; Gateway: 16. Return the \n scope token
+Gateway -&gt; Gateway: 17. Add scope \n token to \n X-Scope-Token \nHeader
+Gateway -&gt; ProxySidecar: 18. Invoke API
+ProxySidecar -&gt; ProxySidecar: 19. Verify \n Authorization \ntoken
+ProxySidecar -&gt; ProxySidecar: 20. Verify \n X-Scope-Token
+ProxySidecar -&gt; ProxySidecar: 21. Fine-Grained \n Authorization
+ProxySidecar -&gt; BackendAPI: 22. Invoke \n business API
+BackendAPI -&gt; ProxySidecar: 23. Business API \n response
+ProxySidecar -&gt; ProxySidecar: 24. Fine-Grained \n response filter
+ProxySidecar -&gt; Gateway: 25. Return response
+Gateway -&gt; PortalView: 26. Return response
 
 @enduml
 </code></pre>
 <p><img src="authentication-sequence.png" alt="Sequence Diagram" /></p>
 <ol>
 <li>
-<p>When a user hit the website to access the single page application, the Light Gateway will serve the single page application on users browser. By default, the user is not logged in and he/she can only access limited features on the site. If the user want to access more features, he/she can click the user button on the header and click sign in menu. This will allow the browser to redirect from the Portal View to Login View which is served by the same instance of Light Gateway.</p>
+<p>When a user visits the website to access the single-page application (SPA), the Light Gateway serves the SPA to the user's browser. By default, the user is not logged in and can only access limited site features. To unlock additional features, the user can click the <strong>User</strong> button in the header and select the <strong>Sign In</strong> menu. This action redirects the browser from the Portal View to the Login View, both served by the same Light Gateway instance.</p>
 </li>
 <li>
-<p>On the Login View site, he/she can input the username/password or choose Google/Facebook for authentication. Once the Signin form is submitted, the request goes to the Light Gateway with user credentials. The Light Gateway will route the request to the OAuth Kafka service.</p>
+<p>On the Login View page, the user can either input a username and password or choose Google/Facebook for authentication. When the login form is submitted, the request is sent to the Light Gateway with the user's credentials. The Gateway forwards this request to the OAuth Kafka service.</p>
 </li>
 <li>
-<p>OAuth Kafka has many Authenticator implementations that can be used to authenticate the user credential. For example, use the Light Portal user database to authenticate, use Active Directory to authenticate employees or use CIF service to authenticate customers.</p>
+<p>OAuth Kafka supports multiple authenticator implementations to verify user credentials. Examples include authenticating via the Light Portal user database, Active Directory for employees, or CIF service for customers.</p>
 </li>
 <li>
-<p>Once authentication is completed successfully, it will response to the OAuth Kafka with the authentication result.</p>
+<p>Once authentication is successfully completed, the OAuth Kafka responds with the authentication result.</p>
 </li>
 <li>
-<p>Upon successful authentication, OAuth Kafka will generate an authorization code which is a UUID associated to the user profile.</p>
+<p>Upon successful authentication, OAuth Kafka generates an authorization code (a UUID associated with the user's profile).</p>
 </li>
 <li>
-<p>OAuth Kafka redirect the authorization code to the Portal View browser through Gateway.</p>
+<p>OAuth Kafka redirects the authorization code back to the browser at the Portal View via the Gateway.</p>
 </li>
 <li>
-<p>The Portal View single page application doesn't have this redirct route, so that request will be sent to the Gateway with the code as a query parameter.</p>
+<p>Since the Portal View SPA lacks a dedicated redirect route for the authorization code, the browser sends the code as a query parameter in a request to the Gateway.</p>
 </li>
 <li>
-<p>The StatelessAuthHandler on the Gateway will handle the request and send a token request to the OAuth Kafka to get a JWT access token.</p>
+<p>The <code>StatelessAuthHandler</code> in the Gateway processes this request, initiating a token request to OAuth Kafka to obtain a JWT access token.</p>
 </li>
 <li>
-<p>OAuth Kafka will generate an access token with user claims in the JWT custom claims and drop the code as it is used only once.</p>
+<p>OAuth Kafka generates an access token containing user claims in its custom JWT claims. The authorization code is then invalidated, as it is single-use.</p>
 </li>
 <li>
-<p>The authorization code token is returned to the Gateway.</p>
+<p>The access token is returned to the Gateway.</p>
 </li>
 <li>
-<p>The StatelessAuthHandler on the Gateway will put the token into a secure cookie and send to the Portal View.</p>
+<p>The <code>StatelessAuthHandler</code> in the Gateway stores the access token in a secure cookie and sends it back to the Portal View.</p>
 </li>
 <li>
-<p>When Portal View access one of the Backend APIs, it sends the API request to the Gateway with the cookies.</p>
+<p>When the Portal View SPA makes requests to backend APIs, it includes the secure cookie in the API request sent to the Gateway.</p>
 </li>
 <li>
-<p>The StatelessAuthHandler on the Gateway will verify the token in the secure cookie and put it into the Authorization header of the request.</p>
+<p>The <code>StatelessAuthHandler</code> in the Gateway validates the token in the secure cookie and places it in the <code>Authorization</code> header of the outgoing request.</p>
 </li>
 <li>
-<p>Once the token is verified successfully, the TokenHandler on the Gateway will issue a token request to get a client credentials token to the OAuth Kafka based on the path prefix of the API endpoint.</p>
+<p>If the token is successfully validated, the <code>TokenHandler</code> in the Gateway makes a request to OAuth Kafka for a client credentials token, using the path prefix of the API endpoint.</p>
 </li>
 <li>
-<p>OAuth Kafka generate a client credentials token with the scope that can access the downstream service.</p>
+<p>OAuth Kafka generates a client credentials token with the appropriate scope for accessing the downstream service.</p>
 </li>
 <li>
 <p>The client credentials token is returned to the Gateway.</p>
 </li>
 <li>
-<p>The TokenHandler on the Gateway will put this token into X-Scope-Token header of the original request.</p>
+<p>The <code>TokenHandler</code> in the Gateway inserts this token into the <code>X-Scope-Token</code> header of the original request.</p>
 </li>
 <li>
-<p>The Gateway router the original request to the downstream Backend API.</p>
+<p>The Gateway routes the original request, now containing both tokens, to the downstream <code>proxy sidecar</code>of the backend API.</p>
 </li>
 <li>
-<p>The Backend API will verify the Authorization token for the signature and expiration etc.</p>
+<p>The proxy sidecar validates the <code>Authorization</code> token, verifying its signature, expiration, and other attributes.</p>
 </li>
 <li>
-<p>The Backend API will verify the X-Scope-Token for signature, expiration and scope etc.</p>
+<p>The proxy sidecar also validates the <code>X-Scope-Token</code>, ensuring its signature, expiration, and scope are correct.</p>
 </li>
 <li>
-<p>The Backend API retuns the response once both tokens are verified.</p>
+<p>Once both tokens are successfully validated, the proxy sidecar enforces fine-grained authorization rules based on the user's custom security profile contained in the <code>Authorization</code> token.</p>
 </li>
 <li>
-<p>The response returns to the Portal View to render the page.</p>
+<p>If the fine-grained authorization checks are passed, the proxy sidecar forwards the request to the backend API.</p>
+</li>
+<li>
+<p>The backend API processes the request and sends the full response back to the <code>proxy sidecar</code>.</p>
+</li>
+<li>
+<p>The proxy sidecar applies fine-grained filters to the response, reducing the number of rows and/or columns based on the user's security profile or other policies.</p>
+</li>
+<li>
+<p>The proxy sidecar returns the filtered response to the Gateway.</p>
+</li>
+<li>
+<p>The Gateway forwards the response to the Portal View, allowing the SPA to render the page.</p>
 </li>
 </ol>
 

design/authentication-sequence.png

@@ -153,6 +153,35 @@ <h1 class="menu-title">Light Portal Documentation</h1>
                 <div id="content" class="content">
                     <main>
                         <h1 id="fine-grained-authorization"><a class="header" href="#fine-grained-authorization">Fine-Grained Authorization</a></h1>
+<h2 id="what-is-fine-grained-authorization"><a class="header" href="#what-is-fine-grained-authorization">What is Fine-Grained Authorization?</a></h2>
+<p>Fine-grained authorization (FGA) refers to a detailed and precise control mechanism that governs access to resources based on specific attributes, roles, or rules. It's also known as fine-grained access control (FGAC). Unlike coarse-grained authorization, which applies broader access policies (e.g., "Admins can access everything"), fine-grained authorization allows for more specific policies (e.g., "Admins can access user data only if they belong to the same department and the access request is during business hours").</p>
+<h3 id="key-features"><a class="header" href="#key-features">Key Features</a></h3>
+<ul>
+<li><strong>Granular Control</strong>: Policies are defined at a detailed level, considering attributes like user role, resource type, action, time, location, etc.</li>
+<li><strong>Context-Aware</strong>: Takes into account dynamic conditions such as the time of request, user’s location, or other contextual factors.</li>
+<li><strong>Flexible Policies</strong>: Allows the creation of complex, conditional rules tailored to the organization’s needs.</li>
+</ul>
+<h2 id="why-do-we-need-fine-grained-authorization"><a class="header" href="#why-do-we-need-fine-grained-authorization">Why Do We Need Fine-Grained Authorization?</a></h2>
+<h3 id="1-enhanced-security"><a class="header" href="#1-enhanced-security">1. <strong>Enhanced Security</strong></a></h3>
+<p>By limiting access based on detailed criteria, fine-grained authorization minimizes the risk of unauthorized access or data breaches.</p>
+<h3 id="2-regulatory-compliance"><a class="header" href="#2-regulatory-compliance">2. <strong>Regulatory Compliance</strong></a></h3>
+<p>It helps organizations comply with legal and industry-specific regulations (e.g., GDPR, HIPAA) by ensuring sensitive data is only accessible under strict conditions.</p>
+<h3 id="3-minimized-attack-surface"><a class="header" href="#3-minimized-attack-surface">3. <strong>Minimized Attack Surface</strong></a></h3>
+<p>By restricting access to only the required resources and operations, fine-grained authorization reduces the potential impact of insider threats or compromised accounts.</p>
+<h3 id="4-improved-user-experience"><a class="header" href="#4-improved-user-experience">4. <strong>Improved User Experience</strong></a></h3>
+<p>Enables personalized access based on roles and permissions, ensuring users see only what they need, which reduces confusion and improves productivity.</p>
+<h3 id="5-auditing-and-accountability"><a class="header" href="#5-auditing-and-accountability">5. <strong>Auditing and Accountability</strong></a></h3>
+<p>Detailed access logs and policy enforcement make it easier to track and audit who accessed what, when, and why, fostering better accountability.</p>
+<h2 id="examples-of-use-cases"><a class="header" href="#examples-of-use-cases">Examples of Use Cases</a></h2>
+<ul>
+<li><strong>Healthcare</strong>: A doctor can only view records of patients they are treating.</li>
+<li><strong>Government</strong>: A government employee can access to data and documents based on security clearance levels and job roles.</li>
+<li><strong>Finance</strong>: A teller can only access transactions related to their assigned branch.</li>
+<li><strong>Enterprise Software</strong>: Employees can edit documents only if they own them or have been granted editing permissions.</li>
+</ul>
+<h2 id="fine-grained-authorization-in-api-access-control"><a class="header" href="#fine-grained-authorization-in-api-access-control">Fine-Grained Authorization in API Access Control</a></h2>
+<p>In API access control, fine-grained authorization governs how users or systems interact with specific API endpoints, actions, and data. This approach ensures that access permissions are precisely tailored to attributes, roles, and contextual factors, enabling a secure and customized API experience. As the Light Portal is a platform centered on APIs, the remainder of the design will focus on the API access control context.</p>
+<h2 id="requirements"><a class="header" href="#requirements">Requirements</a></h2>
 
                     </main>