Summary
Overview of Authentication (who you are), Authorisation (what you can do), and Accounting (what you did) with Moneyhub.
Authentication, Authorisation and Accounting (AAA)
Authentication
Verifies who you are. It's the process of confirming a user's identity. Think of it like showing your ID to get into a building.
Authorisation
Authorisation determines what you can do. After your identity is confirmed, this process decides which resources or actions you are permitted to access. This process is similar to a security guard checking your badge level to determine which floors you're allowed on.
Accounting
Accounting determines what you did. Ensuring that a system documents any actions you do take so that a reviewer can tie a change in the system to the actions you took. This process is similar to the sign-in sheet at the front desk of the building.
How does this work with Moneyhub?
📋 Summary Table
| Pillar | Core Features & Protocols |
|---|---|
| Authentication | mTLS supported, OIDC‑based, discovery metadata, private_key_jwt, JWKS support |
| Authorisation | Signed claims, scopes (user:delete, caas:transactions:read) |
| Accounting | Rate limiting, correlation ID tokens for auditing, error/log handling as standard, usage reporting and billing. |
🔐 Authentication
-
mTLS supported: Moneyhub offers mTLS for securing communication to and from its interfaces
-
Built on OpenID Connect (OIDC): Moneyhub provides an OpenID Connect – compliant interface (FAPI profiles). Discovery metadata is available at
https://identity.moneyhub.co.uk/oidc/.well-known/openid-configuration. -
Token Endpoint & Grant Types:
-
/oidc/tokenendpoint supportsclient_credentialsgrants to minimise credential exposure. -
Authentication methods:
private_key_jwt(required for production) — involves constructing a signed JWT asclient_assertionwith claims such asiss,sub,aud,jti,iat, andexp([Moneyhub Enterprise Documentation][1]).
-
-
JWKS Support & Key Rotation:
- Moneyhub expects clients to register their own JWKS endpoint or URI. Moneyhub uses the JWKS to validate signed client assertions and facilitate key rotation without downtime.
-
OAuth2.0 and federated IdP SSO logins:
- The Admin Portal supports logins from federated identity providers, allowing SSO access to the service.
✅ Authorisation
-
API Scopes:
- API Scopes define data permissions (
user:delete,caas:transactions:read, etc.), minimising the access of any one access token.
- API Scopes define data permissions (
-
KafkaACLs:
- Ensure that only the correct Kafka client can read and write to Kafka topic.
-
Client Configuration Requirements:
-
For a production client:
- Must use
private_key_jwt - Use a pre-shared JWKS or host a public JWKS on their infrastructure and share its URI.
- Must use
-
-
Admin Portal supportsRBAC and PBAC:
- When configured with a Federated IdP using groups, this is an automated process to support dynamic permissions.
🧾 Accounting (Error Handling & Logging)
-
Rate limiting:
- There is a default rate limit for API requests and quotas for Kafka producing and fetching. These limits should not impact day-to-day operations or even peak throughput, but protect against malicious or poorly optimised software.
-
Auditing:
- All actions in Admin Portal are audited and supports our watchdog processes
- API requests are audited and reviewed for non-authorised actions.
- Kafka topics usage is logged and reviewed for unusual actions.
-
Error Handling & Monitoring:
- All error codes follow the standard OAuth2.0/OIDC specs (
invalid_request,unauthorized_client,access_denied, etc.). - Clients can access an error log in the Admin Portal that tracks API authentication/configuration issues.
- Moneyhub can supply Kafka event error logs, and there are some outcome stats available in the Admin Portal
- All error codes follow the standard OAuth2.0/OIDC specs (
Updated 12 days ago