Leading Fintech company builds a modern Authz and Authn platform
We started building the custom plugins as well worked on the User Management Service and the allied services to build the complete Authz and Authn platform
Tide (Tide Platform Limited) is a UK financial technology company providing mobile-first banking services for small and medium-sized enterprises. It enables businesses to set up a current account and get instant access to various financial services (including automated bookkeeping and integrated invoicing).
At present, Tide offers a savings bank account, provided by RBL Bank which is regulated by the Reserve Bank of India (RBI). With over 1 in 20 small business owners in the UK banking with us, we’re ready to go global and empower entrepreneurs just like you.
- State-of-the-Art Security and compliance infrastructure provided to customers.
- Usage of the standard protocols (Oauth2.0, OpenId Connect, UMA 2.0, and open banking) to ensure interoperability with all enterprise tools.
The current web access management (WAM) and single sign-on (SSO) that Tide have was rudimentary and for the growing needs of the enterprise where many new requirements have surfaced like: managing access to an enterprise’s web APIs, not just web apps, Multifactor Authentication, Biometrics, Integration with 3rd Party Partners and ever-evolving roles and scopes it was quite insufficient. The system for managing this type of access had several challenges:
- Modifying or enabling the current WAM solution to provide API security would have been unfriendly to developers, complex, expensive, and likely proprietary. Mobile clients were struggling to deal with XML-based and SOAP-based security mechanisms. Enterprise IT struggled to deploy agents or proxies.
- Since it was getting overly complex to centralize access authorization, we found too much authorization code in applications, which slows service delivery by forcing developers to redevelop authorization logic, as well as hindering effective auditing and policy administration.
- We needed to support features that were not available with the current solution like Multifactor Authentication, Biometrics, dynamic scopes, etc.
- Since Tide is a fintech it was of paramount importance to have the best security mechanisms available which were not possible with the current system.
- The current solution was making a lot of simplifying assumptions about how users authenticate (typically username and password into a web app). But with new mobile applications to enable customers, and other device types, and with strong authentication needs increasing, old assumptions were no longer viable.
- There was a need for different authentication and authorization journeys for the users based on their roles in the organization, their classification (internal or external users) as well as the kind of the applications like Marketplace vendor applications, internal web, and mobile applications, 3rd party apps and partner applications.
- And the most important one was that we should rely on standard protocols to ensure interoperability with our enterprise tools.
NashTech worked with Tide on the complete modernization of the legacy web-based access management system to provide a state-of-the-art AuthZ and AuthN platform for secure communication with the external as well as internal systems. We wanted to implement it faster, and the right way was to use an off-the-shelf system that could be customized according to the company’s needs. After much research, we finalized Garvitee APIM and Access Management solution as the requisite tooling to build the platform.
Since there was an urgency to implement the new Platform because of many new features and services being ready to be launched in new features, it was decided that the preference would be given to an off-the-shelf product rather than implementing a solution from the beginning. The major challenge in identifying the right product was that it should support customization to a level where it can support custom implementations relevant to the business. Gravitee is an upcoming solution that has an open-source as well as enterprise version. Gravitee offers both API Management and Access Management solutions and the great thing about Gravitee solutions is its extensibility where we are able to create our own plugins with our custom functionality and integrate it easily. The Gravitee API Management solution provides
- Rich Open Source functionality
- High flexibility and scalability
- API, Access and Identity Management all in one place ability to build, manage and monitor intuitively and quickly
Similarly, the Access Management solution is also rich in features like
- Access Security: Control and secure enterprise data with industry-standard protocols such as OpenID Connect OAuth 2.0 and JWT.
- Multi-factor authentication – Enforce security and convenience by adding extra authentication factors.
- Passwordless and WebAuthn – Secure your apps and APIs with industry best-practice security using biometrics, tokens, and further passwordless auth mechanisms.
NashTech started building the custom plugins as well worked on the User Management Service and the allied services to build the complete Authentication and Authorization Platform for Fintech.
The details of the major components that constituted the Platform have been described in the next section.
This diagram shows all the key interactions between the APIM Gateway, AM Gateway, user clients, and associated services/infrastructure.
AM Gateway (Access Management Service)
The AM gateway is one of the core components of the Tide platform. The AM gateway is a unified service for access and identity management. The underlying core of the AM Gateway is based on a reverse proxy architecture. The API Gateway routes HTTP web traffic to protected applications enabling close inspection, transformation, and filtering of each request. For API requests, the AM Gateway can authenticate and authorize users and services connecting to the API gateway, ensuring protected applications that are secured by leveraging OAuth2 and OpenID.
API Management Service
APIM gateway provides the complete functionality of API Gateway and API Management, some of the key attributes are API deployments and routing and providing necessary proxy settings. The API gateway calls out to the AM Gateway for token introspection.
Custom plugins to enrich the tokens for the APIs
- Service Plugins – Custom plugins are used to handle the incoming requests and process them through the Vertx event handler by invoking the relevant processor.
- Policy Plugin – A custom plugin used to convert the front-end token to relevant backend tokens which are used to access the backend APIs.
User Management Service
A Spring Boot service for providing support for the management of users and their access to resources. This service accepts the backend tokens and, after verifying them, gives access to the requested API.
- This service deals with the various roles and permissions assigned to the user and acts accordingly.
- This service also interacts with the AM gateway APIs directly.
Amazon DocumentDB is a scalable, highly durable, and fully managed database service for operating mission-critical MongoDB workloads.
Migration of Legacy Users
For migration of the Legacy user JIT (Just In Time) approach was used, which in simple words is to migrate the user when he is trying to access the new system. So with this implementation, when a user attempts to log into the application, the user is searched on the new platform and if it is found, then try to authenticate the user against the new user management system. If it’s successfully authenticated, let them in. Otherwise, reject their login because they have invalid credentials. If the user doesn’t exist, check if the user is in Legacy Mapping data and if it exists there, use the Legacy IDP provider to validate that the user, and if it is authenticated, then commission the user in the new Platform.
The end result was a highly secured, performant, extensible, and scalable new Auth platform enabling Tide to go global and able to launch many new products tailored to multiple markets with zero or minimal effort for AuthN and AuthZ. Having initiated this project in spring 2020, we went live in only two months with 100% production traffic, just as new sign-ups were accelerating due to COVID-19. We were able to accelerate and offer rich multi-user access at the start of 2021, less than a year since the initial project started.
Some of the key benefits other than the above are given below.
- Enhanced the customer experience with feature upgrades.
- State of Art Security infrastructure provided to customers
- 200% increase in the number of users.
- Biometrics and Multifactor Authentication fully supported.
- Tailored and Multiple User Journey flows for various applications.
- Minimum downtimes, increased resilience, and better service quality
- Credential setup for users invited by the primary account holder
- Login for those users on devices where they have credentials (including additional data capture on consent)
- Login for those users on new devices
- Enriching tokens at the API GW via token introspection
- Authentication of all users of the Tide platform, including primary account holders.
- A richer model of roles/permissions
- Account-level access controls
- Self-service credential management and user profile management
- Setting up new users from scratch
- New types of users like marketplace vendors and partner organizations.
“The flexible solution designed by the team enables secured communication between the various components saving a significant amount of time and money. This process has enabled us to become future-ready.”