Securely retrieve personal data in an app with API Security from SURFconext

Reliable check

Students at the University of Amsterdam (UvA) and the Hogeschool van Amsterdam (HvA) use a student app to view their timetable, grades and study progress. This data comes from systems other than the app itself, such as the student information system. APIs are used to retrieve the data. But before they are displayed in the app, the API must be able to reliably identify the student. This is personal data, which should not end up in anyone else's hands. It should not happen, for example, that a student gets to see a classmate's grade in the app. To shield APIs with sensitive personal information, the UvA and HvA now use API Security from SURFconext. This ensures that APIs definitely 'know' whether the right person is asking for sensitive data.

How it works

For several years, SURFconext has supported OpenID Connect, an authentication and authorisation protocol suitable for mobile apps. The UvA/HvA's student app is connected to SURFconext as a service via the OpenID Connect protocol. The information a student can see in this app (grades, timetables) is retrieved by the app from various UvA/HvA source systems via APIs. These source systems are also logged into SURFconext, as a 'resource server'. After a successful login to the app, the app receives a 'token' from SURFconext. With this token, the app can make a request to the APIs of the source systems as a kind of proof of access to, for example, retrieve figures for the logged-in user. The API needs to check whether the token is valid and also wants to be able to reliably identify the user associated with the token. The API does that via API Security from SURFconext - that is where the token was issued and can therefore be checked that it has not been tampered with.

Awareness

For users, using SURFconext API Security is both low-threshold and secure. A student only needs to log in once to be able to use all functionalities in the app at all times. For this authentication, the student app refers to the institution's central login page, to which SURFconext is connected by default. According to Kuipers, this browser screen provides 'a piece of awareness'. 'We encourage our students not to just leave their student data in an app. Thanks to the link with the lock next to it, they can check whether it is from a trusted party.' No unnecessary luxury at a time when higher education institutions are regularly targeted by hackers.

Contemporary

The UvA's own authorisation infrastructure had the advantage that matters around Trust & Identity were arranged within the institution and not shared with third parties. 'But anno 2021, SURFconext's OpenID Connect is the way to go,' Kuipers believes. 'Don't go inventing your own security, but use the standards that are there. All functionalities that are considered standards in the industry are in the SURFconext platform. We can hitch a ride on that through the app.'

Fast switching

Kuipers is also enthusiastic about the dashboard, which an institution can use to set up the service independently. He has already gone through that process for the UvA, but he is still in the middle of it with the HvA. 'At the stage where you have to convert an app, it's nice that you can quickly switch into it yourself,' he says. He does still see the possibility of an additional functionality in the dashboard: a button that allows him to invalidate a token. That would come in handy in case a student loses a phone. Declaring a token invalid currently still has to be done manually via SURF.

Text: Marjolein van Trigt