Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Single Record Token introduced for MOSIP integration comms with event-registration may not provide enough scope to countries #8767

Open
euanmillar opened this issue Feb 25, 2025 · 0 comments
Open

The Single Record Token introduced for MOSIP integration comms with event-registration may not provide enough scope to countries #8767

euanmillar opened this issue Feb 25, 2025 · 0 comments
Labels
Enhancement
Milestone
IET Candidates

Comments

@euanmillar
Copy link
Collaborator

euanmillar commented Feb 25, 2025
edited
Loading

Describe the improvement

Countries can customise the countryconfig /event-registration endpoint in order to customise the BRN. Tonga wish their BRN to be incremental - A sequence. (001, 002, 003...) and they wish to do this by searching the OpenCRVS database in the /event-registration endpoint.

The IET team advised the SI to have a database in country config where they could store each BRN as it is created, then they could search this DB in order to increment the next one. We advised that this DB would have to be persistent and backed up. A volume could be created that the countryconfig container has access to via docker-compose and the back up and restore of that DB could be configured independently by editing the backup/restore scripts.

But the SI found it easier to use the Registar's JWT to search existing records using the Record Search API rather than create the database.

Recently, in this PR, the token that is used to communicate with the /event-registration endpoint has been refactored so that it only has scope necessary for the MOSIP integration. It appears logical but now restricts this SI to have to do one of the following:

1: Implement the database approach as previously recommended
2. Create a system client that is able to perform a record search. Save the client_id and client_secret as Github secret env vars in the relevant Github environment and send them to the countryconfig microservice in docker-compose for the environment. Then you can authenticate as a record search client using that token in order to search core in /event-registration.

Pitch

We understand that all record searches of OpenCRVS must be audited. We are looking for any recommendations on how to proceed. Would it be possible to add any other scopes to the token or would that be a bad idea from a security stand point.

We understand that other countries have implemented incremental BRNs and wonder how their approaches may or may not be affected.

Which feature of OpenCRVS your enhancement concern?

/evnt-registration customisable API for customising the BRN

To understand the problem

  1. Login as a Registrar and register an event
  2. In the /event-registration endpoint attempt to use the Record Search API using the token received in the headers. Notice that it fails.

OpenCRVS Core Version:

  • v1.7.0 (Git branch: release-v1.1.0)

Country Configuration Version:

  • v1.7.0 (Git branch: release-v1.7.0)
@euanmillar euanmillar added the Bug label Feb 25, 2025
@euanmillar euanmillar added this to the v1.7.0 milestone Feb 25, 2025
@euanmillar euanmillar modified the milestones: v1.7.0, IET Candidates Feb 25, 2025
@euanmillar euanmillar changed the title The Single Record Token introduced for MOSIP integration comms with event-registration doesnt provide enough scope to countries The Single Record Token introduced for MOSIP integration comms with event-registration may not provide enough scope to countries Feb 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement
Projects
OpenCRVS Core
Status: Backlog
Milestone
IET Candidates
Development

No branches or pull requests
1 participant
@euanmillar