Portal application
Tax Balance heavily relies on the Portal application provided by AMANA.
Authentication
Authentication is performed via OAuth 2.0 protocol. The Portal application provides mechanisms to authenticate the user, e.g., with username and password or with SAML 2.0 (SSO).
After a successful authentication, the portal creates an OAuth 2.0 access tokens in JSON Web Token (JWT) format and returns it to Tax Balance. Tax Balance Web application stores the access token in browser session and appends it to each request to the Tax Balance resource server (API).
This is a sample request with an authorization header:
GET /api/demo HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Authorization in Tax Balance
Tax Balance resource server (in other words: API or backend server) performs an authorization for each incoming request. It extracts the user ID from the OAuth access token and calculates whether the request is allowed for the user based on the stored role and permission definition. If this is not the case, an HTTP status code 403 is returned.
Managing user, roles and permissions
The portal application is responsible for managing the users, roles and permissions. It provides a graphical user interface to perform these tasks. Therefore, most of the related data is stored in the portal. However, as of the design of a centralized management for individual permissions of each application (e.g., Tax Balance) and individual constrains when assigning roles to a user, some data are also or exclusively stored in Tax Balance.
Following data is stored in the Portal application and Tax Balance:
Portal | Tax Balance | |
---|---|---|
Roles | Database table
| Database table
|
Permissions for role | Database table
| Database table
|
Role to user assignments | Database table
| Database table
|
The above-mentioned data gets distributed to Tax Balance when specific data ingestion occurs in Portal application. This is the case when a portal user performs the following activities:
Create or update permission definition for a role
Create of update the assignment of a role to a user
The activity is performed when the user hits a button with the label "Save" (in german "Speichern").