-
Notifications
You must be signed in to change notification settings - Fork 0
Illinois NetID and UIN Integration
This article is a work in progress!
There are various places within our APIs where we reference a University of Illinois identity directly instead of an ACM @ UIUC Identity. We reference them through the UIUC Entra ID tenant, where we have a registered application solely to get users' verified NetIDs and profiles.
These access tokens are provided as the header X-Uiuc-Token instead of as the Authorization header to avoid conflating use cases.
Using this access token, we can also get a user's UIN. Since UINs should be protected, and we don't want ACM Infra students to be able to collect/accidentally leak a mass list of UINs, we hash + salt + pepper the UINs using argon2id and store it in a DynamoDB database. Note that it is still theoretically possible to brute force the hashes since UINs follow a consistent format, but we believe that risk to be acceptable at this time. We then maintain an internal mapping of UIN hash <-> NetID. We can use this information in future integrations, such as iCard swiping for item pickups or on the vending machine.
All UIUC users are guest users in the ACM Entra ID tenant. Guest users don't sync the first and last name to the guest tenant, and we have quite a few services which require this information. However, our registered application in the UIUC tenant can access this information. Therefore, users sign into their Illinois account to purchase an ACM membership. During this time, we hash + store their UIN, as well as get their first and last name to pass through to Stripe, which will then pass this information back to us when the membership provisioning webhook is called.
There is a page here which users can use when prompted by us to force sync their NetID and UIN into our system.
This use case is not in Core but is rather in our merchstore-api repo.
To prevent users from using a paid member's NetID when they themselves are not a paid member in order to receive the discount, we require validating paid member identities with their NetID.