Skip to content

External users authentication

Jump to bottom
Simon Nebesnuick edited this page Oct 21, 2024 · 3 revisions

Legal senders are authenticated by proving they have a CJSM email account. Once authenticated we provide our own JWT authentication token.

Context

We received a non-negotiable requirement that legal senders would be authenticated by proving they have a CJSM email account.

The main driver was to trust the CJSM onboarding/offboarding process rather than creating our own (which would have been very resource intensive).

We approached HMPPS Auth to see if we could add CJSM as a trusted authentication provider but this didn't fit with their strategic goals. They suggested we roll our own authentication solution.

Decision

We decided to implement a custom authentication solution and issue our own JWT auth tokens. As part of the login process, legal senders are sent a one-time passcode via email to enable them to log-in to the service. CJSM requires a mutual TLS (mTLS) handshake between parties in order to send and receive mail between users.

image

Consequences

We manage a set of private/public keys in each environment that are used to sign our JWTs. These should probably be rotated occasionally. There are instructions in the README on how to regenerate the keys.

We have a custom user role (SLM_CREATE_BARCODE) that we assign to legal senders. Normally roles live in HMPPS Auth or DPS but legal senders don't interact with either so the role lives in this application only.

Use of Google for sending mail

As part of the login process, legal senders are sent a one-time passcode to enable them to log-in. We have used a Google account - [email protected] - to send one time passcodes as this supports the mTLS authentication protocol required by CJSM. We have created 'App passwords' to provide programmatic access to send the emails.

In 2025, MOJ Digital will be retiring the Google accounts so we need an alternative approach.

Move to using GOV.UK Notify

CJSM requires a mutual TLS (mTLS) handshake between parties in order to send and receive mail between users which is NOT supported by GOV.UK Notify.

However, in October 2024 we were informed that the CJSM team had improved integration with the GOV.UK Notify platform. The CJSM service now intercepts mail coming from GOV.UK Notify and performs the mTLS handshake.

With the retirement of the MOJ Google account, we need to move to using GOV.UK Notify.

Clone this wiki locally