Industry: Non-Profit | Region: USA
The USC Shoah Foundation records, preserves, and shares survivor and witness testimonies so that all can learn from the past, reflect on the present, and build a better future.
The collections archive is home to more than 59,000 testimonies of survivors and witnesses of the Holocaust, contemporary antisemitism, the Armenian Genocide, and other mass atrocities and genocidal crimes of the twentieth and twenty-first centuries. It is the largest such collection in the world.
Established in 1994, the USC Shoah Foundation found a permanent home at the University of Southern California in 2006. With survivor testimony at the center, the USC Shoah Foundation's innovative programming, global-impact strategies, and forward-looking research and education initiatives help preserve Holocaust memory and history, confront antisemitism, and strengthen democratic values.
Over the past 30 years, the foundation has built a world-class institute committed to bringing survivors' voices into research, policy, education, and public awareness.
The Need for Customization
Because the USC Shoah Foundation provides sensitive content, it is necessary to enforce a registration and account layer for website access. An important requirement is to differentiate user types, such as anonymous users, students, educators and administrators, and comply with specific requirements for different user types.
For example, no personal data (email, phone, etc.) should be collected from student users.
At the technical level, users must be unique by username and email, and single sign-on must work across all websites with different permissions and settings, and across both the cloud and on-premise environments.
The web application was built with a .NET backend and an Angular frontend. Given the requirements, the USC Shoah Foundation was not able to find a plug-and-play solution or Software-as-a-Service (SaaS) offering in the market. They evaluated AWS Cognito, but realized their OAuth and OpenId Connect (OIDC) requirements were hard to model in such a system.
Authentication and Authorization in Modern Applications
When the development team at USC Shoah Foundation looked into self-hosting their own build of the open source IdentityServer4, they realized their team was too small to take on the role of authentication experts.
"We were able to host our own identity provider using Duende IdentityServer, without having to acquire expertise on the OAuth/OIDC specifications. Where we were not able to solve a problem Duende was able to solve it, and at various stages/deployments we reviewed our implementation with Duende for correctness." - Jeff Schulz, Software Engineer, USC Shoah Foundation
Ultimately, USC Shoah Foundation developers became confident that Duende could provide them with OAuth/OIDC expertise, and provide a middleware layer for handling the authorization flows.
"Duende also helped us handle single sign-on in the correct way. Their support has been invaluable for us. They work with us to understand the problem and create a solution, compliant to the specification, and with regards to our unique use-case."
At the time there was no robust solution to securely store JWT tokens in the browser when building a Single-Page Application (SPA). Cognizant of the risks of handling tokens in the browser for an SPA, USC Shoah Foundation was excited to use the Backend for Frontend (BFF) security framework to secure their browser-based frontends.
A Solid Foundation
USC Shoah Foundation currently has four Angular applications integrated with their IdentityServer via BFF, across four deployment environments. Together with Duende, they are looking at enhancements in the BFF security framework to support multiple client apps to access multiple APIs from a single BFF instance.
"The solution we have in place with Duende IdentityServer and BFF has been reliable and is running with minimal maintenance." - Jeff Schulz, Software Engineer, USC Shoah Foundation