Skip to content

Integration Reference Architecture

This page details a reference model of integration of an application managing resources with the Authorization Service API / New Resource Portal.
An example implementation of the custom components (frontend and backends for the management of resources) is available in the Banana Service reference project in Gitlab.

Components

The reference model consists of a frontend and a backend for the management of the custom resources, that interact with the Authorization Service to notify it of the creation of new resources and be notified about lifecycle events.
In this diagram, the backend is split in two distinct components (endpoints) for clarity, but the two can be combined in a practical implementation. The Banana Service backend in the example implementation exposes the two endpoints from the same web application.

Your Frontend

This is the application that users access to create new resources and perform the resource-specific management operations, e.g. manage the quota of a workspace or DB schema, take a backup of a virtual machine and so on.

The application should be configured in SSO to be only accessed by users that are subscribed to your application (or during the subscription grace period if configured).

This application will most likely be registered to SSO as a public client (no client secret), and will call your backend "application endpoint" using the logged in user's credentials.

Your Backend (Application endpoint)

This is the endpoint that is called by your frontend to performs the actual operations of creating and managing resources in your service (create a new virtual machine, increase the quota of a storage workspace).

This endpoints calls the Authorization Service API using its own client ID and secret, to inform it of the creation and deletion of resources, so that the Authorization Service can start tracking the resource's lifecycle.

Since this application needs a client ID and secret, it should be registered to SSO as a separate application.

Your Backend (Lifecycle endpoint)

This is the endpoint in your backend that is called by the Authorization Service API when a lifecycle event occurs:

  • Update the owner of a resource
  • Update the administrators group of a resource
  • Change a resource's state as it progresses through a lifecycle

Sequence diagrams

User creates a new resource

This sequence diagram shows the list of operations that need to take place when a user creates a new resource.

This is a more detailed view, including authentication details.