OAuth2-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Fixed ca certs path Jul 16, 2018
controllers Configuration of keyrock full description Feb 20, 2019
doc Add sing out in changes 7.x Feb 21, 2019
etc Several interface bugs fixing Feb 4, 2019
external_auth Merge jason-fox-feature/test-stub and lint code Jan 31, 2019
extras/docker Environment variables Feb 18, 2019
lib Fix bugs and create delete api token test Feb 5, 2019
migrations Fix bug migration Feb 4, 2019
models Fix bugs and create delete api token test Feb 5, 2019
public Fixed eidas profile bug when validating tokens Feb 1, 2019
routes Fix bugs and create delete api token test Feb 5, 2019
seeders Merge jason-fox-feature/test-stub and lint code Jan 31, 2019
templates Change authzforce templates folder Dec 21, 2018
themes Fix bugs and create delete api token test Feb 5, 2019
views Several interface bugs fixing Feb 4, 2019
.dockerignore Update Docker Nov 22, 2018
.eslintignore Checked controllers/saml2 and added debug errors Feb 1, 2019
.eslintrc Pull master branch Jan 24, 2019
.gitignore Merge jason-fox-feature/test-stub and lint code Jan 31, 2019
.jshintrc Remove lint from Husky Jan 21, 2019
.nvmrc remove mmagic Oct 24, 2018
.sequelizerc Raw queries in models now Feb 26, 2018
.textlintrc Minor changes .textlintrc Feb 22, 2019
.travis.yml Fix index admin guide Feb 15, 2019
CREDITS Update contributors in credits and remove config.js Jan 31, 2019
LICENSE Split License out to separate file Aug 15, 2018
README.md Add sing out in changes 7.x Feb 21, 2019
apiary.apib Test Api organizations, roles, permissions, iot_agents and pep_proxies Jan 31, 2019
app.js Add search_distinct lintignore Feb 1, 2019
config.js.template Configuration of keyrock full description Feb 20, 2019
generate_openssl_keys.sh default colors change Apr 2, 2018
mkdocs.yml Configuration of keyrock full description Feb 20, 2019
package-lock.json Merge branch 'master' of https://github.com/ging/mesias Feb 1, 2019
package.json Fix bug in test/unit/api/011-role_user_assignments.js Feb 22, 2019
roadmap.md Add search_distinct lintignore Feb 1, 2019
version.json Added libs for version in api Jun 25, 2018


Identity Manager - Keyrock

FIWARE Security License: MIT Docker badge Support badge
Documentation Build Status Coverage Status Status

Keyrock is the FIWARE component responsible for Identity Management. Using Keyrock (in conjunction with other security components such as PEP Proxy and Authzforce) enables you to add OAuth2-based authentication and authorization security to your services and applications.

This project is part of FIWARE. For more information check the FIWARE Catalogue entry for Security.

📚 Documentation 🎓 Academy 🐳 Docker Hub 🎯 Roadmap



The main identity management concepts within Keyrock are:

  • Users
    • Have a registered account in Keyrock.
    • Can manage organizations and register applications.
  • Organizations
    • Are group of users that share resources of an application (roles and permissions).
    • Users can be members or owners (manage the organization).
  • Applications
    • has the client role in the OAuth 2.0 architecture and will request protected user data.
    • Are able to authenticate users using their Oauth credentials (ID and secret) which unequivocally identify the application
    • Define roles and permissions to manage authorization of users and organizations
    • Can register Pep Proxy to protect backends.
    • Can register IoT Agents.

Keyrock provides both a GUI and an API interface.

Software requirements

This GE is based on a JavaScript environment and SQL databases. In order to run the identity manager the following requirements must be installed:

  • node.js
  • npm
  • mysql-server (^5.7)
  • build-essential


  1. Clone Proxy repository:
git clone https://github.com/ging/fiware-idm.git
  1. Install the dependencies:
cd fiware-idm/
npm install
  1. Duplicate config.template in config.js:
cp config.js.template config.js
  1. Configure data base access credentials:
config.database = {
    host: "localhost", // default: 'localhost'
    password: "idm", // default: 'idm'
    username: "root", // default: 'root'
    database: "idm", // default: 'idm'
    dialect: "mysql" // default: 'mysql'
  1. To configure the server to listen HTTPS requests, generate certificates OpenSSL and configure config.js:
config.https = {
    enabled: true, //default: 'false'
    cert_file: "certs/idm-2018-cert.pem",
    key_file: "certs/idm-2018-key.pem",
    port: 443
  1. Create database, run migrations and seeders:
npm run-script create_db
npm run-script migrate_db
npm run-script seed_db
  1. Start server with admin rights (server listens in 3000 port by default or in 443 if HTTPS is enabled).
sudo npm start

You can test the Identity manager using the default user:

  • Email: admin@test.com
  • Password: 1234


We also provide a Docker image to facilitate you the building of this GE.

  • Here you will find the Dockerfile and the documentation explaining how to use it.
  • In Docker Hub you will find the public image.


Information about how to use the Keyrock GUI can be found in the User & Programmers Manual.


Resources can be managed through the API (e.g. Users, applications and organizations). Further information can be found in the API section.

Finally, one of the main uses of this Generic Enabler is to allow developers to add identity management (authentication and authorization) to their applications based on FIWARE identity. This is posible thanks to OAuth2 protocol. For more information check the OAuth2 API.


For performing a basic end-to-end test, you have to follow the next steps. A detailed description about how to run tests can be found here.

  1. Verify that the host address of IdM can be reached. By default, web access will show a Login Page.
  2. Acquire a valid username and password and access with those credentials. The resulting web page is the landing page of the IdM KeyRock Portal.
  3. Verify that you can view the list of applications, organizations, etc.

Advanced Documentation

Changes Introduced in 7.x

They biggest change introduced in 7.x is that the identity manager no longer depends on Openstack components Keystone and Horizon. Now is fully implemented in Node JS. Another remarkable changes have been made:

  1. A driver has been implemented in order to make authentication against another database different from the default one.
  2. The appearance of the web portal can be easily modified though configurable themes.
  3. Now users don't need to switch session in order to create an application that will belong to an organization.
  4. Permissions of an application can be edited or deleted.
  5. IdM could play the role of gateway between services and eDIAS Node in order to allow users authentication with their national eID.
  6. OAuth Refresh Token Supported.
  7. Configurable OAuth token types (Permanent tokens and Json Web Tokens).
  8. OAuth Revoke Token endpoint enable.
  9. Internazionalization od UI (Spanish and English supported).
  10. User Admin Panel.
  11. Trusted application for OAuth token validation.
  12. IdM could play the role as PDP for basic authorization.
  13. Complete Sign out. Delete session in services as well as in Keyrock.

Quality Assurance

This project is part of FIWARE and has been rated as follows:

  • Version Tested:
  • Documentation:
  • Responsiveness:
  • FIWARE Testing:


Keyrock is licensed under the MIT License.

© 2018 Universidad Politécnica de Madrid.