Skip to content

OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.


Notifications You must be signed in to change notification settings


Repository files navigation

Identity Manager - Keyrock

FIWARE Security License: MIT Docker badge Support badge
Documentation CI Coverage Status Status Codacy Badge CII Best Practices

Keyrock is the FIWARE component responsible for Identity Management. Using Keyrock (in conjunction with other security components such as PEP Proxy and Authzforce) enables you to add OAuth2-based authentication and authorization security to your services and applications.

This project is part of FIWARE. For more information check the FIWARE Catalogue entry for Security.

📚 Documentation 📄 Site 🎓 Academy 🎯 Roadmap



The main identity management concepts within Keyrock are:

  • Users
    • Have a registered account in Keyrock.
    • Can manage organizations and register applications.
  • Organizations
    • Are group of users that share resources of an application (roles and permissions).
    • Users can be members or owners (manage the organization).
  • Applications
    • has the client role in the OAuth 2.0 architecture and will request protected user data.
    • Are able to authenticate users using their Oauth credentials (ID and secret) which unequivocally identify the application
    • Define roles and permissions to manage authorization of users and organizations
    • Can register Pep Proxy to protect backends.
    • Can register IoT Agents.

Keyrock provides both a GUI and an API interface.

Software requirements

This GE is based on a JavaScript environment and SQL databases. In order to run the identity manager the following requirements must be installed:

  • node.js
  • npm
  • mysql-server (^5.7)
  • build-essential


  1. Clone Proxy repository:
git clone
  1. Install the dependencies:
cd fiware-idm/
npm install
  1. Duplicate config.template in config.js:
cp config.js.template config.js
  1. Configure data base access credentials:
config.database = {
    host: 'localhost', // default: 'localhost'
    password: 'idm', // default: 'idm'
    username: 'root', // default: 'root'
    database: 'idm', // default: 'idm'
    dialect: 'mysql' // default: 'mysql'
  1. To configure the server to listen HTTPS requests, generate certificates OpenSSL and configure config.js:
config.https = {
    enabled: true, //default: 'false'
    cert_file: 'certs/idm-2018-cert.pem',
    key_file: 'certs/idm-2018-key.pem',
    port: 443
  1. Create database, run migrations and seeders:
npm run-script create_db
npm run-script migrate_db
npm run-script seed_db
  1. Start server with admin rights (server listens in 3000 port by default or in 443 if HTTPS is enabled).
sudo npm start

You can test the Identity manager using the default user:

  • Email:
  • Password: 1234


We also provide a Docker image to facilitate you the building of this GE.

  • Here you will find the Dockerfile and the documentation explaining how to use it.
  • In Docker Hub you will find the public image.


Information about how to use the Keyrock GUI can be found in the User & Programmers Manual.


Resources can be managed through the API (e.g. Users, applications and organizations). Further information can be found in the API section.

Finally, one of the main uses of this Generic Enabler is to allow developers to add identity management (authentication and authorization) to their applications based on FIWARE identity. This is posible thanks to OAuth2 protocol. For more information check the OAuth2 API.


For performing a basic end-to-end test, you have to follow the next steps. A detailed description about how to run tests can be found here.

  1. Verify that the host address of IdM can be reached. By default, web access will show a Login Page.
  2. Acquire a valid username and password and access with those credentials. The resulting web page is the landing page of the IdM KeyRock Portal.
  3. Verify that you can view the list of applications, organizations, etc.

Advanced Documentation

Changes Introduced in 7.x

They biggest change introduced in 7.x is that the identity manager no longer depends on Openstack components Keystone and Horizon. Now is fully implemented in Node JS. Another remarkable changes have been made:

  1. A driver has been implemented in order to make authentication against another database different from the default one.
  2. The appearance of the web portal can be easily modified though configurable themes.
  3. Now users don't need to switch session in order to create an application that will belong to an organization.
  4. Permissions of an application can be edited or deleted.
  5. IdM could play the role of gateway between services and eDIAS Node in order to allow users authentication with their national eID.
  6. OAuth Refresh Token Supported.
  7. Configurable OAuth token types (Permanent tokens and Json Web Tokens).
  8. OAuth Revoke Token endpoint enable.
  9. Internazionalization od UI (Spanish and English supported).
  10. User Admin Panel.
  11. Trusted application for OAuth token validation.
  12. IdM could play the role as PDP for basic authorization.
  13. Complete Sign out. Delete session in services as well as in Keyrock.

Quality Assurance

This project is part of FIWARE and has been rated as follows:

  • Version Tested:
  • Documentation:
  • Responsiveness:
  • FIWARE Testing:


Keyrock is licensed under the MIT License.

© 2018-2023 Universidad Politécnica de Madrid.