Welcome to the first post of our Tackling Complexities series.
You can learn more about the series in the intro here, but the idea is to share some of the complex tech (or tech-related) challenges we’ve had to dig into whilst building Syncaroo, the backbone infrastructure for how workspace platforms automatically keep each other in-sync.
In today’s post we talk about how we’re tackling the need to prove authentication, authorization and enable trust between workspace technology platforms, in a scalable way.
Summary.
When syncing any data between different systems over the internet, there’s a few questions that each side has to ‘ask’ or verify before deciding if they actually can trust the information they receive.
This includes syncing workspace data (like workspace details, pricing, photos or availability) across different systems.
It’d be absolutely chaotic if anybody could just send across information without any checks.
Platforms on each side of a sync need to verify that the information (or request for information) is coming from a known and trusted source and that the trusted entity has permission to update or change that specific information.
With both of those checked, we then need to make sure we can trust that the request wasn’t tampered with, or changed, as it moved across the internet.
Some terms.
- Authentication - can we confirm that whoever sent this is who they say they are?
- Authorization - do they have permissions to do what they're trying to do?
- Trust - even if they are who they say they are, and have permissions, can we trust what they sent?
Solving the Authentication & Authorization challenges.
We started first with tackling the challenge of verifying the identifies and permissions between systems.
Syncaroo is built to continuously check the Authentication and Authorization of accounts across platforms, on a few different levels.
From making sure that somebody with the right authority gives Syncaroo permission to access the data inside property/asset/inventory management systems, to ensuring that accounts on each connected platform have adequate permissions to make changes or securely access and process workspace data.
To make syncing seamless, connections are setup manually once, but Authorization and Authentication checks are securely reconfirmed automatically behind the scenes. And if, for any reason, any of the checks fail, Syncaroo stops syncing to/from that platform and notifies workspace operators and our team that attention is needed to resume syncing.
We’ve designed the Syncaroo platform to work with numerous trusted and standard methods of Authentication & Authorization and each integrated platforms can pick their preferred methods depending on their internal tech stack and business logic. We recommend OAuth 2.0, with on-screen confirmation, short-lived tokens and well-scoped permissions.
A simple example as to how this works, with any manual actions in bold:
- Susan wants to securely connect Platform A to sync to Platform B.
- Susan securely confirms their account on Platform A when connecting it to Syncaroo.
- Syncaroo checks to make sure Susan's account on Platform A has permission to grant access.
- Susan then securely confirms their account on Platform B when connecting it to Syncaroo.
- Syncaroo then checks with Platform B to make Susan's account there has the right permissions.
- The connection between Platform A and Platform B is now Authenticated and Authorized.
Solving the Trust challenges.
We live in a world where trust is critical, especially between auto-updating business systems and publicly-facing channels.
And so we take the third part of this challenge seriously, implementing and continuing to develop and improve how the data synced between systems can be trusted.
Internally Syncaroo runs numerous checks, before notifying connected platforms that an update or sync is available. This updated data is supplied via a secured, authenticated and tightly-scoped REST API. This means that in the unlikely situation that an update sync notification is intercepted, the updated data itself isn’t directly accessible by just anyone.
To make the notifications even more trustable, Syncaroo signs the notification using top-tier encryption.
This allows integrated platforms to triple-check that a sync is trusted, before processing a single action on their internal systems.
From our very first version, here’s how we’ve enabled connected platforms to triple-check sync notifications via Syncaroo (simplified immensely for brevity):
- Check #1: Platform B confirms the signature or rejects/ignores the notification.
- Check #2: Platform B checks to make sure the update is correctly linked to Syncaroo or rejects it.
- Check #3: Platform B would then request the data via a secured direct channel with Syncaroo.
-
Platform B can now trust the update notification and the secured data from the sync.
This triple-checking takes mere milliseconds per sync but allows for Platform B to have full trust in the data syncs it receives from any platform via Syncaroo.
Can't every platform tackle these without Syncaroo?
Ofcourse. Authentication, authorization are trust are critical for any tech integration.
Where Syncaroo’s power shines through is that we offer a single secure integration that tackles these challenges (and others) for connecting to a growing number of platforms, services and products.
So instead of tackling challenges for each new integration, a single integration is setup, managed and monitored.
Not only does this allow platforms to focus development time on their core products, differentiating features and business logic – but it also improves the stability and reliability of integrations across the entire proptech ecosystem through shared standards and schemas.
Run a platform or operate a workspace? Request access to the Syncaroo closed beta and become part of the data infrastructure the future of work is built upon.
