Skip to content
OAuth2-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
JavaScript HTML CSS API Blueprint Other
Branch: master
Clone or download
Latest commit c6557f5 Nov 14, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Fixed ca certs path Jul 16, 2018
controllers Update user api to include extra attribute Oct 9, 2019
doc.ja Fix issue 114: allowemptystate and code 200 when authenticate a token Sep 19, 2019
doc
etc Update translation files for accesibility attributes Oct 7, 2019
external_auth Data usage config file May 16, 2019
extras Update delete organization in apiary Oct 11, 2019
lib Merge PR 101 Jul 22, 2019
migrations Several redirect uris Nov 14, 2019
models Several redirect uris Nov 14, 2019
public Errors handling Sep 16, 2019
routes Translate errors Sep 20, 2019
seeders Data usage config file May 16, 2019
templates Identity attributes in users' profile Jul 23, 2019
test Change identity attributes to false Oct 9, 2019
themes Merge branch 'a11y' Oct 7, 2019
views Update translation files for accesibility attributes Oct 7, 2019
.dockerignore Data usage config file May 16, 2019
.eslintignore Data usage config file May 16, 2019
.eslintrc Data usage config file May 16, 2019
.gitignore Data usage config file May 16, 2019
.jshintrc Data usage config file May 16, 2019
.nvmrc Data usage config file May 16, 2019
.sequelizerc Data usage config file May 16, 2019
.textlintrc Enable Markdown linting on Travis Mar 2, 2019
.travis.yml Data usage config file May 16, 2019
CREDITS Minor changes to release Oct 4, 2019
LICENSE Data usage config file May 16, 2019
README.md Fix broken url in docu Sep 9, 2019
apiary.apib Update delete organization in apiary Oct 11, 2019
apiary.ja.apib Update delete organization in apiary Oct 11, 2019
app.js Errors handling Sep 16, 2019
config.js.template Change identity attributes to false Oct 9, 2019
generate_openssl_keys.sh default colors change Apr 2, 2018
mkdocs.yml Update CSS to avoid redirect Sep 9, 2019
package-lock.json Merge branch 'a11y' Oct 7, 2019
package.json
roadmap.md Front for defined policy rules Apr 26, 2019
version.json Data usage config file May 16, 2019

README.md

Identity Manager - Keyrock

FIWARE Security License: MIT Docker badge Support badge
Documentation Build Status Coverage Status Status Codacy Badge

Keyrock is the FIWARE component responsible for Identity Management. Using Keyrock (in conjunction with other security components such as PEP Proxy and Authzforce) enables you to add OAuth2-based authentication and authorization security to your services and applications.

This project is part of FIWARE. For more information check the FIWARE Catalogue entry for Security.

📚 Documentation 🎓 Academy 🐳 Docker Hub 🎯 Roadmap

Content


Background

The main identity management concepts within Keyrock are:

  • Users
    • Have a registered account in Keyrock.
    • Can manage organizations and register applications.
  • Organizations
    • Are group of users that share resources of an application (roles and permissions).
    • Users can be members or owners (manage the organization).
  • Applications
    • has the client role in the OAuth 2.0 architecture and will request protected user data.
    • Are able to authenticate users using their Oauth credentials (ID and secret) which unequivocally identify the application
    • Define roles and permissions to manage authorization of users and organizations
    • Can register Pep Proxy to protect backends.
    • Can register IoT Agents.

Keyrock provides both a GUI and an API interface.

Software requirements

This GE is based on a JavaScript environment and SQL databases. In order to run the identity manager the following requirements must be installed:

  • node.js
  • npm
  • mysql-server (^5.7)
  • build-essential

Install

  1. Clone Proxy repository:
git clone https://github.com/ging/fiware-idm.git
  1. Install the dependencies:
cd fiware-idm/
npm install
  1. Duplicate config.template in config.js:
cp config.js.template config.js
  1. Configure data base access credentials:
config.database = {
    host: "localhost", // default: 'localhost'
    password: "idm", // default: 'idm'
    username: "root", // default: 'root'
    database: "idm", // default: 'idm'
    dialect: "mysql" // default: 'mysql'
};
  1. To configure the server to listen HTTPS requests, generate certificates OpenSSL and configure config.js:
./generate_openssl_keys.sh
config.https = {
    enabled: true, //default: 'false'
    cert_file: "certs/idm-2018-cert.pem",
    key_file: "certs/idm-2018-key.pem",
    port: 443
};
  1. Create database, run migrations and seeders:
npm run-script create_db
npm run-script migrate_db
npm run-script seed_db
  1. Start server with admin rights (server listens in 3000 port by default or in 443 if HTTPS is enabled).
sudo npm start

You can test the Identity manager using the default user:

  • Email: admin@test.com
  • Password: 1234

Docker

We also provide a Docker image to facilitate you the building of this GE.

  • Here you will find the Dockerfile and the documentation explaining how to use it.
  • In Docker Hub you will find the public image.

Usage

Information about how to use the Keyrock GUI can be found in the User & Programmers Manual.

API

Resources can be managed through the API (e.g. Users, applications and organizations). Further information can be found in the API section.

Finally, one of the main uses of this Generic Enabler is to allow developers to add identity management (authentication and authorization) to their applications based on FIWARE identity. This is posible thanks to OAuth2 protocol. For more information check the OAuth2 API.

Tests

For performing a basic end-to-end test, you have to follow the next steps. A detailed description about how to run tests can be found here.

  1. Verify that the host address of IdM can be reached. By default, web access will show a Login Page.
  2. Acquire a valid username and password and access with those credentials. The resulting web page is the landing page of the IdM KeyRock Portal.
  3. Verify that you can view the list of applications, organizations, etc.

Advanced Documentation

Changes Introduced in 7.x

They biggest change introduced in 7.x is that the identity manager no longer depends on Openstack components Keystone and Horizon. Now is fully implemented in Node JS. Another remarkable changes have been made:

  1. A driver has been implemented in order to make authentication against another database different from the default one.
  2. The appearance of the web portal can be easily modified though configurable themes.
  3. Now users don't need to switch session in order to create an application that will belong to an organization.
  4. Permissions of an application can be edited or deleted.
  5. IdM could play the role of gateway between services and eDIAS Node in order to allow users authentication with their national eID.
  6. OAuth Refresh Token Supported.
  7. Configurable OAuth token types (Permanent tokens and Json Web Tokens).
  8. OAuth Revoke Token endpoint enable.
  9. Internazionalization od UI (Spanish and English supported).
  10. User Admin Panel.
  11. Trusted application for OAuth token validation.
  12. IdM could play the role as PDP for basic authorization.
  13. Complete Sign out. Delete session in services as well as in Keyrock.

Quality Assurance

This project is part of FIWARE and has been rated as follows:

  • Version Tested:
  • Documentation:
  • Responsiveness:
  • FIWARE Testing:

License

Keyrock is licensed under the MIT License.

© 2018 Universidad Politécnica de Madrid.

You can’t perform that action at this time.