This article discusses the topics of authentication and authorization in the ConnectID Service. It specifies the current procedure of obtaining credentials to execute different actions with ConnectID Service.
Since the Delivery 3, the use of the FIFA Connect ID Service is restricted to logged users (authentication). Additionally, only users with certain permissions can execute actions or view the data (authorization). Both authentication and authorization are based on Azure Active Directory (AAD).
Shortcut
If you need access to any of the modules of Connect ID Service, contact Connect ID Support team (support.id@fifa.org) and specify the following:
- module(s) you need an access to (e.g. Swagger)
- your first & last name. This is needed to create a Microsoft account in our Active Directory.
- Member Association you represent
In order to use SDK you will receive a service account (clientID and secretKey) to use in your code.
Access to Swagger
Accessing Swagger (REST API with documentation) in Beta environment does not require authentication. In order to test methods (execute any actions) you need to be logged, however.
Ask AAD Administrator to provide you with a user account. Additionally, you need to specify your MA as your user will need to be granted permissions to modify the data for a specific MA. As an example:
- in order to add an Active, Football registration to a German MA, you will need to have a user account belonging to an AAD group created specifically for German MA
- in order to receive message from German queue in Service Bus, you will need to have a user account belonging to an AAD group created specifically for German MA.
NOTE: if user belongs to multiple MAs it will be not possible to invoke receive methods, because Service Bus cannot unambiguously determine queue to read. This behiaviour does not affect SDK usage because SDK client always belong to single organization.
Access to Admin Console
The same user account that is used for Swagger access, should be used to view data in Admin Console. As of beginning of August, there is no authentication implemented, that is, if user is granted permissions to access Admin Console, they can see all the data.
Usage of the ConnectID SDK
In order to use SDK you will need to know the following:
- clientID
- secretKey
- your Member Association unique ID (UID)
ClientID and secretKey need to be provided in order to authenticate your service account with AAD. This is done once, in a single method - documentation to SDK specifies the details of the implementation.
In AAD, your service account is bound to the specific Member Association. Unless you are a super user, you will only be able to register persons (or modify their data) from your association. For more details about the rules see Registration and transfer rules
MA UID will become useful as some of the methods require OrganizationID as a parameter (e.g. AddRegistration).
Usage of the Service Bus SDK
As of beginning of August, Service Bus is the last remaining module which can be used without authentication. This will be changed when the following issue is developed and released to Beta environment: FCI-210 - 11.9 - As a Registration System I want to be authenticated in AAD so that only I can receive messages directed to me, and other MAs know who sent them a message (asynchronous communication) DONE .
Current implementation (not yet released to Beta envrionment) requires authentication for all API methods in Service Bus SDK. Same as for Connect ID SDK you will need to know the following:
- clientID
- secretKey
- your Member Association unique ID (UID).
Addtionally, authorization rules on Service Bus allow receiving only from the queue of your Member Association. There is not longer parameter where SDK client can choose queue to receive message from.