The Google Club Unified Access System (UAS) employs a structured architecture to manage authentication, authorization, and identity services. The system consists of two primary services, a shared database, and client interfaces designed for both users and admins, providing a secure, cohesive experience.
- CAS (Central Authentication Service)
- Purpose: CAS handles authentication, using JWT (JSON Web Token) for secure token-based authentication.
- Features:
- Fast Access to Authorities: CAS provides quick access to user authorities, ensuring low latency.
- Cache & Authority Control: Caches user authorities to reduce load on the database and optimize performance.
- Technology: Built with Express.js for lightweight and efficient operation.
- ICS (Identity Control Service)
- Purpose: ICS focuses on managing identity and access control for both users and administrators.
- Features:
- Access Management: Configures and verifies authorities for integrated applications, with database checks to ensure accurate permissions.
- Comprehensive Identity Management: Manages user profiles, permissions, and administrative controls.
- Technology: Developed with Spring Boot for robust backend support and efficient data handling.
Both CAS and ICS utilize a centralized Accounts Database (PostgreSQL), storing essential user data and access control information with durability and security:
- Account Information: Holds user profiles and core account data.
- Access Authorities: Manages permissions across Google Club applications to ensure unified, up-to-date access control.
Database Structure
The system includes two main Angular-based clients to allow users and administrators complete control over their accounts and permissions within Google Club:
- AMWC (Account Manager Web Client)
- Audience: End-users.
- Purpose:
- Control over account details.
- View authorities.
- Single Sign-On (SSO) access across the ecosystem.
- ACWC (Accounts Console Web Client)
- Audience: Administrators.
- Purpose:
- Identity verification, account management, and authority controls.
- Granting, revoking, and managing permissions.
- Analyzing user data and trends.
Each service has dedicated APIs to facilitate requests and operations across the UAS system:
- ICS API Endpoints - Click to view ICS API endpoints in Postman.
- GET
/health-check
Health check for the server.
- POST
/create-account
Create a new account. - POST
/request-reset-password
Request a password reset. - POST
/reset-password-with-token
Reset password using a token. - POST
/request-email-verification
Request email verification. - GET
/verify-email-with-token
Verify email with a token. - GET
/get-my-account
Retrieve personal account information. - POST
/change-my-password
Change account password. - PUT
/update-my-account
Update personal account information. - DELETE
/delete-my-account
Delete the account.
- GET
/search-accounts
Search for accounts. - GET
/get-account-by-id
Get account details by ID. - POST
/edit-authorities
Edit account authorities. - POST
/toggle-verify-identity
Toggle identity verification status. - POST
/toggle-membership
Toggle membership status. - POST
/lock-account
Lock an account.
- GET
/search-roles
Search for roles. - POST
/create-role
Create a new role. - GET
/get-role-by-id
Get role details by ID. - POST
/edit-role
Edit an existing role. - DELETE
/delete-role
Delete a role.
- GET
/search-permissions
Search for permissions. - POST
/create-permission
Create a new permission. - GET
/get-permission-by-id
Get permission details by ID. - DELETE
/delete-permission
Delete a permission.
- CAS API Endpoints - Click to view CAS API endpoints in Postman.
- GET
/health-check
Health check for the service.
- GET
/get-all-accounts-ids-in-cache
Retrieve all account IDs from cache. - GET
/get-account-cached-authorities
Get cached authorities of an account. - DELETE
/clear-all-accounts-cache
Clear the cache for all accounts. - DELETE
/clear-account-cache
Clear the cache for a specific account.
- POST
/generate-jwt-token
Generate JWT token (login). - GET
/get-authorities
Retrieve authorities for an account. - GET
/verify-token
Verify the validity of a token.
The UAS architecture supports smooth communication between the CAS, ICS, the shared database, and client interfaces. This integrated design supports real-time updates and centralized control over identity and access management.
Architecture Communication
"The integration of CAS, ICS, and the Accounts Database, along with client interfaces, creates a secure, scalable, and efficient UAS ecosystem for the Google Club."
Currently managed by Wassim Rached.