Junior Software Engineer Intern

Designed, developed, and documented an OAuth 2 and X-ROAD powered multi-tenant IAM application.

Company
Junior Software Engineer Intern

Design, Development, and Documentation of a Multi-Tenant IAM Application Powered by .NET, Blazor, OAuth 2, and X-ROAD

This project involved the end-to-end design, development, and comprehensive documentation of a multi-tenant Identity and Access Management (IAM) application. The application was built using the .NET development platform with a Blazor user interface and leveraged the industry-standard OAuth 2 protocol for authentication and authorization, alongside integration with the X-ROAD data exchange layer.

Core Functionality:

The primary goal of this application was to provide a centralized system for managing user identities and controlling access to resources across multiple distinct organizations or "tenants" within a single deployment. This included features typically found in IAM solutions, such as:

  • User registration and management.
  • Authentication (verifying user identity).
  • Authorization (determining user permissions and access levels).
  • Role-based access control.
  • Potentially, features like multi-factor authentication (MFA) and single sign-on (SSO).

Technology Stack:

  • Backend: Developed using .NET, likely leveraging ASP.NET Core for building robust and scalable backend services, including APIs for frontend communication and handling identity logic.
  • Frontend: Built with Blazor, a .NET framework for building interactive client-side web UIs with C#. This choice allowed for a unified development approach using C# for both frontend and backend, potentially simplifying development and improving performance through WebAssembly or leveraging Blazor Server's capabilities.
  • Authentication and Authorization: Implemented using the OAuth 2 framework. This involved setting up the application as an OAuth 2 provider (Authorization Server) to issue access tokens and manage user consent, and/or as an OAuth 2 client to interact with external identity providers. This provides a secure and standardized way for users to authenticate and for the application to manage permissions.
  • Data Exchange Layer: Integration with X-ROAD, a secure and standardized data exchange layer used in several e-governance solutions. This integration enabled the IAM application to securely exchange data with other information systems connected to the X-ROAD network.

Technical Details and Implementation:

  • Multi-Tenancy: Implementing multi-tenancy required careful consideration of data isolation and configuration management. Common approaches in .NET include:
    • Database-per-tenant: Each tenant has its own dedicated database for maximum isolation.
    • Shared database, separate schemas: All tenants share a database, but each has its own set of tables within distinct schemas.
    • Shared database, shared schema with a tenant identifier: A single database and schema are used, with each table including a tenant ID column to filter data. The chosen approach would have involved implementing a mechanism to identify the current tenant based on the request context (e.g., subdomain, path, or a custom header) and ensuring that all data access and operations were correctly scoped to that tenant.
  • OAuth 2 Implementation: This likely involved using .NET's built-in authentication and authorization middleware, potentially augmented with libraries like IdentityServer (now Duende Identity Server) to act as a dedicated OpenID Connect and OAuth 2 framework. This would have entailed configuring clients, resources, scopes, and managing the token issuance and validation processes.
  • X-ROAD Integration: Interfacing with X-ROAD requires adherence to its specific protocols and security measures. This would have involved developing or using adapters to format and exchange messages according to X-ROAD specifications, ensuring secure communication and data integrity through mechanisms like digital signatures and encryption. Understanding X-ROAD's security server concept and message exchange patterns was crucial.
  • Blazor Application Architecture: The Blazor application would have been structured to interact with the .NET backend APIs for all identity and access management operations. This involved creating Blazor components for user interfaces (login, registration, profile management, etc.) and utilizing Blazor's capabilities for managing state and handling user interactions.
  • Documentation: Comprehensive technical documentation was a key part of the project. This would have included:
    • Architecture documentation outlining the multi-tenant design, technology stack, and data flow.
    • API documentation (potentially using Swagger/OpenAPI) detailing the available endpoints and data models.
    • Developer documentation explaining how to integrate with the IAM application and its APIs.
    • Deployment and configuration guides for setting up and managing the application for different tenants.

Challenges and Solutions:

Developing a multi-tenant IAM application with these technologies presented several technical challenges, including:

  • Data Isolation and Security: Ensuring strict data separation between tenants was paramount, requiring careful implementation of data access logic and security measures.
  • Scalability: Designing the application to handle a growing number of tenants and users efficiently.
  • Integration Complexity: Successfully integrating OAuth 2 and X-ROAD, each with their own specifications and requirements.
  • Configuration Management: Managing tenant-specific configurations (e.g., branding, external identity provider settings) in a flexible and secure manner.
  • Testing: Developing comprehensive testing strategies to cover multi-tenant scenarios, security vulnerabilities, and integration points.

These challenges were addressed through careful architectural design, adherence to security best practices, leveraging the capabilities of the .NET ecosystem and chosen libraries, and thorough testing throughout the development lifecycle.

This project delivered a robust and secure multi-tenant IAM solution, capable of managing identities and access across various organizations while seamlessly integrating with external systems via OAuth 2 and the X-ROAD infrastructure. The use of .NET and Blazor provided a modern and efficient development framework for building this complex application.