Tax Balance heavily relies on the Portal application provided by AMANA.
Authentication
Authentication is perfomed performed via OAuth 2.0 protocol. The Portal application provides mechanisms to authenticate the user, e.g., with username and password or with SAML 2.0 (SSO).
After a successfull successful authentication, the portal creates an OAuth Access Token 2.0 access tokens in JSON Web Token (JWT) format and returns it to Tax Balance. Tax Balance Web application stores the access token in browser session and appends it to each request to the Tax Balance Ressource Server resource server (API).
This is a sample request with an authorization header:
Code Block | theme | RDark
---|
GET /api/demo HTTP/1.1 Authorization: Bearer S0VLU0UhIExFQ0tFUiEKeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c |
Authorization in Tax Balance
Tax Balance resource server (in other words: API or backend server) performs an authorization for each incoming request. It extracts the user ID from the OAuth access token and calculates whether the request is allowed for the user based on the stored role and permission definition. If this is not the case, an HTTP status code 403 is returned.
Managing user, roles and permissions
The portal application is responsible for managing the users, roles and permissions. It provides a graphical user interface to perform these tasks. Therefore, most of the related data is stored in the portal. However, as of the design of a centralized management for individual permissions of each application (e.g., Tax Balance) and individual constrains when assigning roles to a user, some data are also or exclusively stored in Tax Balance.
Following data is stored in the Portal application and Tax Balance:
Portal | Tax Balance | |
---|---|---|
Roles | Database table
| Database table
|
| |
Permissions for role | Database table
|
| Database table
|
| ||
Role to user assignments | Database table
| Database table
|
|
The above-mentioned data gets distributed to Tax Balance when specific data ingestion occurs in Portal application. This is the case when a portal user performs the following activities:
Create or update permission definition for a role
Create of update the assignment of a role to a user
The activity is performed when the user hits a button with the label "Save" (in german "Speichern").