Service security

Service implementation considers security as a central consideration. The pac4j framework provides protection mechanisms for service endpoint APIs, with authorisation to these endpoints implemented with OAuth 2.0. Corresponding OAuth Access Tokens may be generated through the HeartAI integrated identity and access management platform, through which end-users or other services may authenticate with the following identity types:

Identity type Description Typical grant type
Service principals Internal service principals, most often used for service-to-service communication OAuth 2.0 Client Credentials Grant
Internal end-users HeartAI system end-users that are managed internal to the HeartAI tenancy. Often these are administrator or developer identities. OAuth 2.0 Authorization Code Grant
External end-users HeartAI system end-users that are managed external to the HeartAI tenancy. Often these are end-users authenticating with their SA Health HAD identity. OAuth 2.0 Authorization Code Grant
Identity and access implementation

Further information about the HeartAI identity and access implementation may be found with the following documentation sections:

Service endpoint protection

The following example shows the implementation of helloSecure() for the HelloWorldService. Here the pac4j framework implements the authorisation method.

override def helloSecure(
  id: String):
ServiceCall[NotUsed, Greeting] =
  authorize(
    requireAnyRole[CommonProfile](keycloakAuthGroup), (_: CommonProfile) =>
      ServerServiceCall {
        (requestHeader, _: NotUsed) =>
          val response: Future[Greeting] =
            entityRef(id)
              .ask[StatusReply[GreetingIMPL]](
                replyTo => GreetingCommand(id, replyTo))
              .map(_.getValue.msg)
              .map(message =>
                Greeting(
                  id = id,
                  message = message))
          response
            .map(res =>
              (ResponseHeader.Ok, res))
      })

Sensitive information injection

Sensitive information, such as system certificates and secrets, are injectable at runtime to system service environments. Current service initiation and runtime injects the following sensitive information:

  • Keycloak service endpoints
  • Keycloak certificates
  • PostgreSQL service endpoints
  • PostgreSQL certificates
  • PostgreSQL credentials
  • Kafka service endpoints
  • Kafka certificates
  • Kafka credentials
  • Play certificates
  • Play binding addresses

Backing service protection

Data transmission access control and encryption occurs for the following system backing services: