External APIs to interact with other systems - department-of-veterans-affairs/abd-vro GitHub Wiki

About External APIs to interact with other systems

Currently VRO supports JWT auth tokens, API auth keys, and mutual TLS to connect to LHDI. This is described in the links below.

Since the JWT Bearer token secures internal micro-services and external api communication, VRO disables CSRF protection because its services/endpoints are only accessed by non-browser clients. This falls in line with LHDI's documentation and recommendations as described here: Snyk Starter Kit Guide. Tenants of the VRO platform engage with VRO's backend services through RabbitMQ, using advanced message queue protocols via a server to server interaction. In this sense, tenants create and maintain their own authorization and conceptions of user session. The SecurityConfig.java class defines a securityFilterChain that describes the behavior of the JWT lifecycle.

The API key is used for Swagger-ui which is a way to locally expose endpoints. (WIP)

• BIP APIs
  • Mutual TLS
• Lighthouse APIs
• BGS API