Authentication, Authorisation and Accounting (AAA)

Authentication

Verifies who you are. It's the process of confirming a user's identity. Think of it like showing your ID to get into a building.

Authorisation

Authorisation determines what you can do. After your identity is confirmed, this process decides which resources or actions you are permitted to access. This process is similar to a security guard checking your badge level to determine which floors you're allowed on.

Accounting

Accounting determines what you did. Ensuring that a system documents any actions you do take so that a reviewer can tie a change in the system to the actions you took. This process is similar to the sign-in sheet at the front desk of the building.

How does this work with Moneyhub?

📋 Summary Table

Pillar	Core Features & Protocols
Authentication	mTLS supported, OIDC‑based, discovery metadata, `private_key_jwt`, JWKS support
Authorisation	Signed claims, scopes (`user:delete`, `caas:transactions:read`)
Accounting	Rate limiting, correlation ID tokens for auditing, error/log handling as standard, usage reporting and billing.

🔐 Authentication

mTLS supported: Moneyhub offers mTLS for securing communication to and from its interfaces
Built on OpenID Connect (OIDC): Moneyhub provides an OpenID Connect – compliant interface (FAPI profiles). Discovery metadata is available at https://identity.moneyhub.co.uk/oidc/.well-known/openid-configuration.
Token Endpoint & Grant Types:
- /oidc/token endpoint supports client_credentials grants to minimise credential exposure.
- Authentication methods:
  - private_key_jwt (required for production) — involves constructing a signed JWT as client_assertion with claims such as iss, sub, aud, jti, iat, and exp ([Moneyhub Enterprise Documentation][1]).
JWKS Support & Key Rotation:
- Moneyhub expects clients to register their own JWKS endpoint or URI. Moneyhub uses the JWKS to validate signed client assertions and facilitate key rotation without downtime.
OAuth2.0 and federated IdP SSO logins:
- The Admin Portal supports logins from federated identity providers, allowing SSO access to the service.

✅ Authorisation

API Scopes:
- API Scopes define data permissions (user:delete, caas:transactions:read, etc.), minimising the access of any one access token.
KafkaACLs:
- Ensure that only the correct Kafka client can read and write to Kafka topic.
Client Configuration Requirements:
- For a production client:
  - Must use private_key_jwt
  - Use a pre-shared JWKS or host a public JWKS on their infrastructure and share its URI.
Admin Portal supportsRBAC and PBAC:
- When configured with a Federated IdP using groups, this is an automated process to support dynamic permissions.

🧾 Accounting (Error Handling & Logging)

Rate limiting:
- There is a default rate limit for API requests and quotas for Kafka producing and fetching. These limits should not impact day-to-day operations or even peak throughput, but protect against malicious or poorly optimised software.
Auditing:
- All actions in Admin Portal are audited and supports our watchdog processes
- API requests are audited and reviewed for non-authorised actions.
- Kafka topics usage is logged and reviewed for unusual actions.
Error Handling & Monitoring:
- All error codes follow the standard OAuth2.0/OIDC specs (invalid_request, unauthorized_client, access_denied, etc.).
- Clients can access an error log in the Admin Portal that tracks API authentication/configuration issues.
- Moneyhub can supply Kafka event error logs, and there are some outcome stats available in the Admin Portal