Skip to Main Content
Merative Ideas Portal

Shape the future of Merative!

We invite you to shape the future of Merative, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the Merative team to refine your idea

Help Merative prioritize your ideas and requests

The Merative team may need your help to refine the ideas so they may ask for more information or feedback. The offering manager team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at Merative works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at Merative, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.


Merative External Privacy Statement: https://www.merative.com/privacy

Status Future consideration
Created by Nigel Barriscale
Created on Apr 12, 2022

Support Open Authorization 2.0 (OAuth 2.0) for RESTful APIs

In order to support the Canadian Federal Government Digital Standards mandate, ESDC would like to raise the following enhancement request.

Support Open Authorization 2.0 (OAuth 2.0) for RESTful APIs

The Directive on Service and Digital - Appendix B: Mandatory Procedures on Application Programming Interfaces- Canada.ca (https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32604 ), as a baseline minimum, mandates that the following security control practice must be followed:

Section B.2.2.5.4 specifically states:

“Protect access to APIs by implementing an access control scheme that protects APIs from being improperly invoked, including unauthorized function and data references. Always authenticate and authorize before any operation to ensure access to APIs are restricted to permitted individuals and/or systems. Use open standards such as OpenID Connect and Open Authorization 2.0 (OAuth 2.0) for RESTful APIs, and Security Assertion Markup Language 2.0 (SAML 2.0) for SOAP APIs. Ensure that the API key/secret is adequately protected. Open data APIs must be secured with an API key to allow for usage tracking and provide the ability to identify and prevent potential malicious use. Open data APIs must be secured with an API key to allow for usage tracking and provide the ability to identify and prevent potential malicious use.”

Customer Name ESDC
Persona Based Summary

All user types: System-to-system integration, external client access via REST API (decoupled UA), potential future use cases with internal users and partner (provider) users accessing SPMP via REST API

Market Segment Eligibility & Entitlement
Type of Request Customer Requirement
Market Opportunity

no response

Usage frequency + #/type of users impacted

All users types - all the time. REST API is the default integration mechanism for SPMP in ESDC. We are using a decoupled UA architecture so REST APIs are utilised for all those integration points also.

CURAM:Workarounds + Proposed Solution

The current, and “temporary only”, workaround is to use basic authentication Rest/j_security_check?j_username=<username>&j_password=<password>

The Digital Standards specifically state in section B.2.2.5.3:

Do not include sensitive data in request URLs as request URL strings can be tracked and compromised even with transport encryption. If a query involves sensitive data elements (e.g., SIN), pass the query parameters as a JSON message payload rather than in the URL request string.

  • Attach files
  • Admin
    ANGELA BRADY
    Reply
    |
    Feb 9, 2024

    Hi Nigel and Benoit,


    My apologies, we missed the queries you posted on this Idea since it was accepted.


    In response to your query, yes we understand this request is OAuth2 for both citizen engagement and caseworker application. There is no need to raise a separate request/idea. Support for OAuth2.0 is on our roadmap. Delivery of the various elements may be phased over time but we understand that it is required for both citizen engagement (or universal access as it is known in ESDC) and caseworker application. We will let you know when this is scheduled into a release.


    Regards,

    Angela Brady, Cúram Product Management team

  • Benoit Tremblay
    Reply
    |
    Sep 28, 2023

    CoE requires this as part of baseline mandate, we’re awaiting information on what current protocols are in place. This is the highest priority item.


  • Nigel Barriscale
    Reply
    |
    Oct 12, 2022

    Hi Sheryl,

    We've been discussing this internally and noted that there is some ambiguity in our request.
    We would also like the OAuth capability enabled for Authentication for the Citizen Engagement Universal Access application. We didn't specifically mention this as UA uses REST and wanted to make this clear.

    We are happy to create a separate Idea. There really are two main uses cases here: generic REST integration with SPM Platform and the UA (CE version) user interface. Again, happy to create a separate Idea.

    We would also be happy to discuss being a sponsor user for this enhancement.

    We will be discussing the priority of this enhancement with the local team in the coming weeks.

    Regards,

    Nigel.

  • Guest
    Reply
    |
    Apr 28, 2022

    Hi Nigel,

    We have reviewed your enhancement suggestion.

    Based on the information provided, our understanding of your request is as follows:

    - You are requesting product support for Open Authorization 2.0 (OAuth 2.0) for REST APIs

    The theme is aligned with our current strategy for our product and we have accepted your suggestion as a consideration for a future release.

    Thank you for taking the time to share your ideas with us. We are committed to involving our users in building our product roadmap and appreciate your suggestions.

    Regards,

    Sheryl Brenton, SPM Product Management Team

  • Guest
    Reply
    |
    Apr 18, 2022

    Hi Nigel,

    Thank you for taking the time to share your ideas with us. We are committed to involving our users in building our product roadmap and appreciate your suggestions.

    We will review the information you have provided and get back to you within 30 days. If additional details are required to complete our evaluation, we will send you a request for more information.

    Thank you,
    Sheryl Brenton, SPM Product Management Team