Service security
Service implementation considers security as a central consideration. The pac4j framework provides protection mechanisms for service endpoint APIs, with authorisation to these endpoints implemented with OAuth 2.0. Corresponding OAuth Access Tokens may be generated through the HeartAI integrated identity and access management platform, through which end-users or other services may authenticate with the following identity types:
Identity type | Description | Typical grant type |
---|---|---|
Service principals | Internal service principals, most often used for service-to-service communication | OAuth 2.0 Client Credentials Grant |
Internal end-users | HeartAI system end-users that are managed internal to the HeartAI tenancy. Often these are administrator or developer identities. | OAuth 2.0 Authorization Code Grant |
External end-users | HeartAI system end-users that are managed external to the HeartAI tenancy. Often these are end-users authenticating with their SA Health HAD identity. | OAuth 2.0 Authorization Code Grant |
Further information about the HeartAI identity and access implementation may be found with the following documentation sections:
Service endpoint protection
The following example shows the implementation of helloSecure()
for the HelloWorldService
. Here the pac4j framework implements the authorisation method.
override def helloSecure(
id: String):
ServiceCall[NotUsed, Greeting] =
authorize(
requireAnyRole[CommonProfile](keycloakAuthGroup), (_: CommonProfile) =>
ServerServiceCall {
(requestHeader, _: NotUsed) =>
val response: Future[Greeting] =
entityRef(id)
.ask[StatusReply[GreetingIMPL]](
replyTo => GreetingCommand(id, replyTo))
.map(_.getValue.msg)
.map(message =>
Greeting(
id = id,
message = message))
response
.map(res =>
(ResponseHeader.Ok, res))
})
Sensitive information injection
Sensitive information, such as system certificates and secrets, are injectable at runtime to system service environments. Current service initiation and runtime injects the following sensitive information:
- Keycloak service endpoints
- Keycloak certificates
- PostgreSQL service endpoints
- PostgreSQL certificates
- PostgreSQL credentials
- Kafka service endpoints
- Kafka certificates
- Kafka credentials
- Play certificates
- Play binding addresses
Backing service protection
Data transmission access control and encryption occurs for the following system backing services:
- Keycloak identity and access management platform instances.
- PostgreSQL data servers.
- Apache Kafka message buses.