Low code trends and the new workflow management

The recent flood of articles discussing the way that Low-Code is changing the landscape of development have 2 key elements:

  • Low-Code is now clearly emerging as one of those enormous waves in tech, that will change the way that things are done across business and IT development moving forward. For both tech companies and non-tech companies (because everybody is technology driven).
  • In the future, it is really how these tools are used in unison with the company’s “Pro-Code” developers. Which is the real business problem to be riffed on and solved! 

What does the new development environment that includes “Citizen Developers” look like? How will they interact with IT Departments and the Pro-Code developers?

Will Low-code replace Pro-code?

Up front we’d like to point out the answer here is something we are sure of. This will in no way reduce the demand or work for Pro-Code developers.

There is compelling economic reasoning for this. As while it is true that all companies want to save costs, we are in an increasing world of digital transformation, where every business is in reality, a tech business. 

So the one area where you cannot start with cost saving, is technology. Companies will always be in a technology race to the leading/bleeding edge with their competition. That edge will always require having the best Pro-Code people you can get, as they provide the competitive advantage. 

Paradoxically this means if you have that, you also need the best Low-Code resources for two reasons:

  1. Low-Code enhances the output of your Pro-Code work force, doing vital but repetitive, non-challenging tasks. Speed means less hours, more output, and we all get that.
  2. These are considerable the other benefits, beyond cost savings. One of which is the morale & job satisfaction of the Dev team. Developers universally report that in their ideal work environments, they want to be working on important and challenging tasks. Where they have the best chance of learning things along the way.

So Low-Code can reduce the time they spend on these less interesting tasks. Because you can’t make the tasks go away. The answer is to use a tool that lets you get more done in less time.

More accuracy and happier teams

The hidden part of all this is the organisation’s abilities to utilise No-Code/Low-Code and adapt to it.

In terms of moral & satisfaction, there is clear evidence that the most onerous of tasks are the organisational ones. Like storing names & levels of permission on an API, in the case of ApiOpenStudio. These often have a high cognitive load because they require high concentration but they are in no way interesting. Low-Code solutions come with User Interfaces and Dashboards and these reduce cognitive load and risk in these tasks by making the tasks simpler and providing ways of validating your entries are correct and making the editing/deleting of changes easy. So there are huge benefits in day-to-day operations.

Learning a new technology and skill can also be fun. As we know, the primary driver for nearly all employees and their job satisfaction are:

  • Confidence in the leadership team.
    • Implementing Low-Code in a balanced way will demonstrate that the leadership have a forward-thinking mentality.
  • The employee is valued.
    • Providing training in the new technology and processes will show that the business wants to keep them and invest them.
  • Satisfaction with daily tasks.
    • The employee will feel more satisfaction through more responsibility and seeing their work being visibly used.
  • Learning and growth.
    • We all want to grow and extend out knowledge and usefulness, with the additional benefits of making us more desirable to employees.

(InfoSurv Research 2012, What Are the 4 Top Drivers of Employee Satisfaction in 2012?, viewed 17 October 2021, https://www.infosurv.com/what-are-the-4-top-drivers-of-employee-satisfaction-in-2012/):

Governance

With the decision to introduce Low-Code platforms, your first issue should be governance and compliance.

Your “Citizen Developers” and Project Managers should start to deepen their communication and feedback loops. Most importantly, non-technical people have to really feel they can come to the experts with the most basic questions, even if it is just to check they are on track. This is all new to them and they are not professionals in this sphere.

Because deep, first-hand knowledge of requirements is another advantage that citizen developers brings to the table. It’s worth noting that their approach will usually be decided on the functionality that they want. The effects on governance or the rest of the architecture are normally the furthest from their minds.

So from a Project Management perspective, clear leadership is needed right at the start in setting out the processes needed on the project. So that features and functionality are plumbed in properly.

Communication

There needs to be clear communication between the citizen and Pro-Code developers (usually via the Project Manager), but this can also be direct. This will ensure that any requirements between the two teams are met and no-one is adding useless things to the system, or features that will slow down the system performance.

Once you have initiated a communications format between citizen developers and the development team, then testing and documentation can be mapped out.

Documentation

A clearly written and easy to access set of documents will be required by both your citizen developers and all levels of the development team.

This will ensure that:

  • Onboarding is quick and easy for citizen developers and they can quickly find answers to any questions that they have, without feeling overloaded by technical answers.
  • Managers and project management have access to sources of truth that enable them to answer any questions.
  • The Pro-Code developers are aware of the Low-Code systems and how they interact with their work.
  • Leaders of the development team can easily find a broad overview of the different systems, the interaction between them and the processes that have been implemented to govern them.

Quality assurance

Depending on the complexity of the No-Code solutions and their impact on the rest of the technology, it is very likely that extra guard-rails will have to be introduced. This will probably involve QA (quality assurance), the ability to import and export configuration, and the release cycles.

Even if the output of the citizen developers is content (for example: pages in a blog or CMS), there should be systems in place to accomodate proof reading and validating the look and feel on different devices. There are additional complexities here, if the content that the citizen developers create is all in a database and cannot be imported/exported – where will this be tested, how will it be released? Although this issue is usually solved by that specific technology’s community, time should be spent looking at the different solutions proposed to find the best solution for your organisation.

In the case of complex No-Code solutions that interact with the output from the development team, then these need to go through the full QA feedback loop. QA can then validate that the existing functionality is not broken and that the new functionality works as expected and different systems interact as expected.

What is important, is that that the development team should reach out to the management of the Citizen Developers, so that they can have the discussion with them about compliance and governance & how they must comply with the IT departments direction (and vice versa). This is often an issue in companies, where people directly report in their department, and are in effect silo’d from the other departments.

Moving into the era of Low-Code/No-Code enhanced Companies. 

The organisations that are going to maximise the benefits of this new wave, should already be initiating broad company-wide conversations. These will range deeply across all levels of the organisation. From the way that Pro-Coder work days and productivity will be enhanced to evaluating the advantages and disadvantages of implementing Low-Code solutions for specific tasks.

This will even permeate as far as hiring & the HR Dept. As you look to harvest the advantages of onboarding people in traditional roles that have these additional skills, or incentives for current employees who wish to acquire No-Code or even Low-Code capability. 

This is the conversation of the future for all companies that will succeed in this new era!

A Deep Dive into JWT Tokens in ApiOpenStudio Auth

Introduction

After a ton of work, over the next week or two we will be introducing JWT tokens for authentication in ApiOpenStudio.

This will:

  • Significantly increase the speed of resource requests.
  • Make individual transactions stateless.
  • Maintain the granular access rights to resources, based on the user’s access rights, the resource’s holding account & application, and of course the resource itself.
  • Ensure viability and ease for enterprise clients to use 3rd party authorisation services.

This article will take a look into the JWT specification, current practices and how it is used in ApiOpenStudio.

Rationale

While trying to optimise the authentication DB queries that are performed before the resource was processed, we came to the realisation that the queries were quite long and involved the joining of multiple tables and had several sub-queries so that the query could take into account our extensive range of access rights, like Administrators, Account managers, Applications Managers, Developers and Consumers. Although this would obviously be faster in a production environment, this was causing 1-2 seconds additional processing time to calls in development environments…

Because this had to be calculated every time a resource was called!

The solution was to introduce stateless authorisation, in the form of JWT tokens.

JWT is rapidly becoming the industry standard for authentication and JWT tokens have what are called Claims, which are individual name/value pairs within the body of the token and the token itself is encrypted and secure, which means that sensitive data can be securely included in the token and thus means that the user’s roles and permissions can be included as a claim and only need to be fetched once (during the JWT token GET call).

In addition, JWT tokens have a TTL, which means that we do not need to store a bearer token in the DB against each user (use that to fetch the user that each time a request is received) – because if the token is valid, then there is no need to fetch the user and check the bearer token TTL.

Here are some scenarios where JSON Web Tokens are useful:

Authorisation: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.

Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn’t been tampered with.

auth0.com, JSON Web Token Introduction – jwt.io, viewed 1 September 2021, https://jwt.io/introduction.

How does JWT work?

Pronunciation

Before we start, for a bit of fun I’d like to set the record straight. I’m not one of those boring “absolutists” who insist that GIF should be pronounced “JIF”, even though the original creator of the tech obviously could not spell when he declared that was the pronunciation. But many people are driving me bananas, by mispronouncing JWT: just pronounce it as “JOT”, it’s also easier to say than the most common variant “Jay-Dubbyah-Tee” (this is not a relative to a former US president).

The suggested pronunciation of JWT is the same as the English word “jot”.

Jones M, Microsoft, Bradley J, Ping Identity, Sakimura N, NRI 2020, JSON Web Token (JWT), Internet Engineering Task Force (IETF), viewed 1 September 2021, https://datatracker.ietf.org/doc/html/rfc7519#section-1.

JWT overview

Now for the technical stuff…

JWTs represent a set of claims as a JSON object that is encoded in a
JWS and/or JWE structure. This JSON object is the JWT Claims Set.
As per Section 4 of RFC 7159 [RFC7159], the JSON object consists of
zero or more name/value pairs (or members), where the names are
strings and the values are arbitrary JSON values. These members are
the claims represented by the JWT. This JSON object MAY contain
whitespace and/or line breaks before or after any JSON values or
structural characters, in accordance with Section 2 of RFC 7159
[RFC7159].


The member names within the JWT Claims Set are referred to as Claim
Names. The corresponding values are referred to as Claim Values.
The contents of the JOSE Header describe the cryptographic operations
applied to the JWT Claims Set. If the JOSE Header is for a JWS, the
JWT is represented as a JWS and the claims are digitally signed or
MACed, with the JWT Claims Set being the JWS Payload. If the JOSE
Header is for a JWE, the JWT is represented as a JWE and the claims
are encrypted, with the JWT Claims Set being the plaintext encrypted
by the JWE. A JWT may be enclosed in another JWE or JWS structure to
create a Nested JWT, enabling nested signing and encryption to be
performed.


A JWT is represented as a sequence of URL-safe parts separated by
period (‘.’) characters. Each part contains a base64url-encoded
value. The number of parts in the JWT is dependent upon the
representation of the resulting JWS using the JWS Compact
Serialization or JWE using the JWE Compact Serialization.

Jones M, Microsoft, Bradley J, Ping Identity, Sakimura N, NRI 2020, JSON Web Token (JWT), Internet Engineering Task Force (IETF), viewed 1 September 2021, https://datatracker.ietf.org/doc/html/rfc7519#section-3

What does this mean?

A token is comprised of 3 parts, the header, payload and signature.

The header of the token defines the cryptography applied to the payload, and the payload is a JSON structure, that is encoded in JWS (Base64 encoded) or JWE (encrypted).

JWS is less secure since it is only a Base64 encoded JSON, and this means it is not suitable in our case. Because the token will carry authentication data for access to the resource and Base64 encoding is different to encryption – it is relatively trivial to decode.

JWE is more suitable to our case, because the JSON payload is encrypted (as defined in the header), and the JWT token keys are stored securely on the on the ApiOpenStudio server, so only the API server can decrypt the body.

There are multiple encryption standards available, and in our case we are using the fantastic lcobucci-jwt library, which is sponsored by one of the leading Authorisation services: Auth0. This provides support for many, many symmetric and asymmetric algorithms.

We have not implemented symmetric algorithms (these are less secure and are the same key for encryption and decryption), so with asymmetric algorithms, the public key can be used by any clients, and the public/private keys are stored in a secure location on the ApiOpenStudio server.

JWT token structure

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header
  • Payload
  • Signature

Therefore, a JWT typically looks like the following.

xxxxx.yyyyy.zzzzz

Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

For example:

{
  "alg": "RSA256",
  "typ": "JWT"
}

Then, this JSON is Base64Url encoded to form the first part of the JWT.

Payload

The second part of the token is the payload, which contains the claims. There are three types of claims: registeredpublic, and private claims.

  • Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience). Notice that the claim names are only three characters long as JWT is meant to be compact.
  • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.
  • Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.

An example payload could be:

{
  "iss": "my.apiopenstudio.com",
  "sub": "1234567890",
  "name": "John Dory",
  "admin": true
}

The payload is then Base64Url encoded to form the second part of the JSON Web Token.

Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

The signature is used to verify the message wasn’t changed along the way, and in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.

Using JWT tokens

The final xxxxx.yyyyy.zzzzz token is sent in the request as a bearer token in the request header, e.g.:

Authorization: Bearer <token>

When the request is received by the API server, it will first confirm that the token is valid, checking it can be decrypted, the issuer, expiry date and mandatory claims.

If this all passes, the processing can continue, otherwise a 401 error response is sent and the client will need to generate a new token, using the provided core token request (auth/token) and resend the request with the token that was received.

From a processes POV, this is exactly the same as before. However, as mentioned, we are using asymmetric encoding, so we can include data in the token payload that means that ApiOpenStudio does not need too fetch user data in order to validate the user’s permissions against the resource. That only needs to be fetched once – when the token is generated.

Minor issue (caveat)

The original authorisation tokens were stateful, i.e. the token was stored against the user, along with the TTL for the token. This meant that if a user was banned, deleted or made inactive, they would instantly not be able to make any further API requests, due to either the users not being present/active anymore, or the token was no longer valid.

JWT tokens are stateless. This means that if a user has a valid token, they can still use it until it expires regardless of whether they are made inactive or deleted (they would only be prevented from fetching a fresh token).

This can be mitigated by setting a global jwt_life of less than 1 hour (the default), however this needs to be balanced against the increase in requests, since a lower token TTL will lead to more requests due to tokens frequently passing their expiry date more frequently.

Another mitigation for extreme cases can be to add the IP address of the client to the blacklist – this will prevent all future calls from that location, immediately.

3rd party authorisation integration

Because the token requires certain client data to be present, the user details and roles will need to be accessible by the authorisation provider, so that they can generate a valid body. Thankfully, most reputable providers allow you to upload these details to your account with them, and also provide ways to ensure that these details are always current and up to date.

You will need to ensure that the following mandatory claims:

  • iss – JWT issuer (your auth provider)
  • aud – permitted for (your api)
  • iat – JWT issued time
  • exp – JWT expiry time

The following ctsom claims are also included

  • uid – user ID
  • roles – complete list of roles and accounts/applications that the user is associated with

The roles object

This is in the JSON object format of:

roles: [
    {
        "role_name": <role_machine_name>,
        "accid": <account_id>,
        "appid": <application_id>
    }
]

For example:

roles: [
    {
        "role_name": "administrator",
        "accid": null,
        "appid": null
    },
    {
        "role_name": "consumer",
        "accid": 34,
        "appid": 5
    },
    {
        "role_name": "developer",
        "accid": 34,
        "appid": 5
    },
    ....
]

Note that:

  • “administrator” does not require accid or appid
  • “account_manager” does not require appid

Summary

We’re really excited to be implementing this technology, seeing the decrease in resource processing time, increasing the security of the API, and making it even easier for enterprise scale users to implement ApiOpenStudio on a large scale.

I’ll be honest with you too, it was really good fun to implement, and we totally got a total nerd-on, doing the research and coding for this!

Increased security and speed with JWT tokens

Current dev work is almost complete for implementing authorisation with JWT token for all resources! This will be part of the upcoming Beta release.

The ticket can be viewed in Gitlab.

This will replace the existing alpha version of a custom token and token TTL for each user in the user table.

It is quite important to note, before we move on, that JWT tokens are a different thing to oauth2, implicit grant, explicit grant, application grant and PKSE authorisation flow. JWT is only a standard for tokens. If you need to implement oauth2 or other similar workflows this is separate from the JWT implementation.

The problem

The problem with the former approach, was that resource requests had to make DB calls to the user, user_roles, roles, account and application tables in order to verify user permissions to that particular resource, FOR EVERY API CALL. This obviously negatively impacted performance for API calls.

This also meant that authorisation was not easily scalable to authorisation servers for enterprise implementation, because the implementation of the token and authorisation for API calls was tightly coupled to the ApiOpenStudio database and several of its tables.

The solution

Although the former approach was stateful (it maintained login state, so users could login and out), the stateless JWT token approach means that the token does not need to be stored in the database. The downside of stateless JWT tokens, is that there is no logout state. So if a user’s access is revoked, they will still have access to resources until their current token goes stale.

However, this can be mitigated by making the JWT token lifetime short in the ApiOpenStudio configuration.

Each JWT token contains custom claims for user ID and all roles that that user has. So when the initial request is received by ApiOpenStudio, it just decrypts the token and validates the user’s roles against the resources account/application and permissible user roles (i.e. Does the current user have the required role access to the account & application?).

Knock-on effects

The following processors have been retired:

  • user_login.
  • user_logout.

Nearly all core resources have been updated use the new processors:

  • generate_token (generate a valid JWT token for a user, with custom claims: uid, user roles).
  • validate_token (validate the Authorization token as a valild JWT token).
  • validate_token_roles ((validate the Authorization token as a valild JWT token and also validation the user has the correct role permissions for the resource).
  • bearer_token (not used by core atm, but preserved for any processors that need access to the bearer token).

Processors have been optimised, now that they do not need to do any pre-validation on who can do what – this is left to the core resource definitions.

Tests are updated to incorporate the changes, and also now have multiple test users with different roles.

The good news

Not only has this significantly improved the API response time, it has now made the API much more scalable for enterprise. We communicated and researched several major 3rd party authorisation services, including auth0, to make sure that the decision to move to JWT tokens and custom claims would still be viable if a 3rd party auth server was used.

Most 3rd party authorisation services implement linking into external databases, so that would take the heat off the api server for token generation, and allow the token generation to be completely decoupled from ApiOpenStudio. This will be the subject of a future post.

WP Twitter Auto Publish Powered By : XYZScripts.com
Social media & sharing icons powered by UltimatelySocial
RSS
LinkedIn
Share
WhatsApp