How did we secure our Forest Admin panel?
At Yousign, we use Forest Admin, also an eFounders company since 2016, as our web application administration panel for some time and we will be intensifying its use within our different team typologies. We care about the security of our user’s data, so we wanted to strengthen the system offered by Forest Admin by adding an additional access security layer. These different points will be discussed in this article.
How does Forest Admin work?
The architecture of Forest Admin is composed of two parts:
- the part hosted on our infrastructure: the API called “Admin Backend” which connects to our various application databases and allows to perform advanced actions via developments done by us
- the part hosted at Forest Admin: the web user interface and its API entirely managed by Forest Admin’s teams
For more information, please refer to this article, written by Forest Admin.
What about security?
Forest Admin offers different methods and solutions to secure the exchanges between the interface and the backend API hosted in our infrastructure.
At first, with the architecture created by Forest Admin, our data never pass through their servers, because the exchanges are made directly between the user browser and the backend.
The security is carried by the JWT standard. The communications between the backend and the Forest Admin servers are protected by two different JWT signed with two different keys.
Three other security features are proposed in the Plus plan:
How can we increase security by adding our own layer?
At Yousign, we are very attentive to security at all levels. Even if Forest Admin offers a well-thought architecture and protection mechanisms, we absolutely wanted to add a layer of security entirely carried by us in a logic of “Zero Trust”.
The official documentation currently indicates this too:
VPN
Of course, the solution that comes first and that is proposed in the documentation of Forest Admin is to protect the access to the backend by using a VPN. Indeed, by installing a VPN on our servers that host the admin API, all the API calls of our users made from the web interface would be secured by our VPN.
But that would mean deploying the VPN to all of our internal users, something we didn’t want to do in this particular usage context. We still use VPNs, but for very specific purposes that we will not detail here.
API Gateway and IAM
We have been using Kong as an API Gateway and Okta as an IAM for several years to secure our employee’s and partner’s access to company tools.
So we had the idea to place the backend API behind our API Gateway and thus benefit from all the power that an API Gateway and in this case Kong brings. With an OIDC plugin configured with our Okta IDP, we protected the access to the backend API routes with our own mechanism, without any specific development on the backend.
It looks like this:
This flow was set up with the intelligence of the Forest Admin teams, who really helped us understand the exchanges between their different software bricks to guarantee the success of the project.
Today, Yousign’s data are more secure. The system has been deployed and is unnoticeable, through the connection via Okta, to the people authorized to access Forest Admin. They now have the ability to customize the Forest Admin interface for their specific profile needs.
Note: this article was originally published on May 21, 2021 on our former Yousign Engineering & Product blog.
