A Cloud Foundry service broker that creates and manages identities for applications, enabling them to generate JWT tokens for accessing external resources.
The ID Broker is an Open Service Broker API compliant service that integrates with Cloud Foundry's UAA (User Account and Authentication) service and CredHub to provide applications with dedicated identities. Applications can bind to these identities and use them to generate JWT tokens based on their CF instance client certificate.
- Identity Management: Creates and manages UAA users for each service instance
- Secure Binding: Binds identities to specific Cloud Foundry applications
- Token Generation: Provides JWT tokens through mutual TLS authentication
- CredHub Integration: Securely stores identity credentials and binding information
- Cloud Foundry Native: Deep integration with CF's UAA, CredHub, and service broker APIs
┌─────────────────────┐
│ CF Application │
│ (with instance │
│ certificate) │
└──────────┬──────────┘
│ mTLS
↓
┌─────────────────────┐
│ ID Broker │
│ ┌───────────────┐ │
│ │ Controllers │ │
│ │ - Service │ │
│ │ - Binding │ │
│ │ - Token │ │
│ └───────┬───────┘ │
│ ↓ │
│ ┌───────────────┐ │
│ │ Managers │ │
│ │ - Identity │ │
│ └───────┬───────┘ │
└──────────┼──────────┘
│
┌──────┴──────┐
↓ ↓
┌────────┐ ┌────────┐
│ UAA │ │CredHub │
└────────┘ └────────┘
controllers/: HTTP endpoint handlersServiceInstanceController.go: Service instance lifecycle (create/delete/update)ServiceBindingController.go: Service binding operations (bind/unbind)TokenController.go: JWT token generation endpointApiController.go: Support API for token information
managers/: Business logic layerIdentityManager.go: Identity creation, deletion, binding validation, token generation
server/: HTTP server and security configurationHttpServer.go: Route definitions and server initializationsecurity.go: Authentication and authorization logic
cfg/: Configuration and catalogconfig.go: Environment variable processing and initializationcatalog.go: Service broker catalog definition
domain/: Data models for service broker APIcf/: Cloud Foundry API clientuaa/: UAA client for user management and token operationshttp/: HTTP request utilities
The ID Broker implements the Open Service Broker API specification:
GET /v2/catalog- Service catalogPUT /v2/service_instances/{service_instance_guid}- Create service instancePATCH /v2/service_instances/{service_instance_guid}- Update service instanceDELETE /v2/service_instances/{service_instance_guid}- Delete service instancePUT /v2/service_instances/{service_instance_guid}/service_bindings/{service_binding_guid}- Create bindingDELETE /v2/service_instances/{service_instance_guid}/service_bindings/{service_binding_guid}- Delete binding
Applications use their CF instance certificate to authenticate:
GET /token/{service_instance_guid}/{service_binding_guid}- Generate JWT token
Response:
{
"accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}For debugging and management (requires CF admin or developer permissions):
GET /api/info/{service_instance_guid}- Get identity information
Response:
{
"subject": "user-id",
"issuer": "https://uaa.cf.example.com/oauth/token",
"audience": ["openid"]
}When a developer creates a service instance:
- ID Broker creates a UAA user with username
idb-{service_instance_guid} - User credentials and metadata are stored in CredHub at
/idb/{service_instance_guid} - Service instance GUID becomes the identity identifier
When an application binds to the service:
- ID Broker creates a binding record in CredHub at
/idb/{service_instance_guid}/{binding_guid} - The binding associates the identity with a specific CF application GUID
- Application receives credentials containing the token API URL:
{ "id_url": "https://id-broker.cf.example.com/token/{service_instance_guid}/{binding_guid}" }
When an application requests a token:
- Application makes an HTTPS request to the
id_urlusing its CF instance certificate (mTLS) - ID Broker extracts the app GUID from the certificate's organizational unit
- Validates the certificate and verifies the app GUID matches the binding
- Retrieves identity credentials from CredHub
- Requests a token from UAA using the identity's credentials
- Returns the JWT access token to the application
- Basic Authentication: Service broker API endpoints (CF Cloud Controller)
- Bearer Token Authentication: Support API (requires CF user token with appropriate permissions)
- Mutual TLS Authentication: Token generation endpoint (CF instance certificate)
The broker validates CF instance certificates by:
- Extracting the app GUID from the certificate's organizational unit
- Verifying the app IP address matches CF routing expectations
- Ensuring the binding exists and matches the app GUID
- Validating through the CF API that the app is valid
- Service Broker API: Basic auth with configured username/password
- Token API: mTLS with instance certificate + binding validation
- Support API: CF OAuth token with either:
cloud_controller.adminscope, OR- Developer/manager permissions on the service instance's space
USERNAME: Service broker basic auth usernamePASSWORD: Service broker basic auth passwordUAA_CLIENT_ID: OAuth2 client ID for UAAUAA_CLIENT_SECRET: OAuth2 client secret for UAA
LISTEN_PORT: HTTP server port (default: 8080)HTTP_TIMEOUT: HTTP request timeout in seconds (default: 10)DEBUG: Enable debug mode (default: false)CREDHUB_URL: CredHub API URL (default:https://credhub.service.cf.internal:8844)UAA_URL: UAA URL override (auto-detected from CF API)
The broker automatically discovers configuration from:
VCAP_APPLICATION: CF application URIs and metadataVCAP_PLATFORM_OPTIONS: Platform-provided CredHub URI- CF API Info endpoint: UAA URL and OAuth endpoints
The broker can optionally load secrets from CredHub instead of environment variables:
PASSWORD: Broker basic auth passwordUAA_CLIENT_SECRET: UAA client secret
For detailed instructions on building, testing, and contributing to this project, see CONTRIBUTING.md.
# Create a service instance
cf create-service cf.identity standard my-identity
# Bind to your application
cf bind-service my-app my-identity
# Restage to receive credentials
cf restage my-appimport (
"os"
"encoding/json"
"net/http"
"crypto/tls"
)
// Parse VCAP_SERVICES
type Credentials struct {
IdUrl string `json:"id_url"`
}
func getToken() (string, error) {
// Get credentials from VCAP_SERVICES
vcapServices := os.Getenv("VCAP_SERVICES")
var services map[string][]struct {
Credentials Credentials `json:"credentials"`
}
json.Unmarshal([]byte(vcapServices), &services)
idUrl := services["cf.identity"][0].Credentials.IdUrl
// Load CF instance certificate
cert, _ := tls.LoadX509KeyPair(
"/etc/cf-instance-credentials/instance.crt",
"/etc/cf-instance-credentials/instance.key",
)
// Make request with mTLS
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
Certificates: []tls.Certificate{cert},
},
},
}
resp, err := client.Get(idUrl)
if err != nil {
return "", err
}
defer resp.Body.Close()
var result map[string]string
json.NewDecoder(resp.Body).Decode(&result)
return result["accessToken"], nil
}The broker provides a single service offering:
- Service Name:
cf.identity - Description: Service broker that creates CF (UAA) users for which tokens can be requested to access external resources when UAA is setup as backend IDP
- Bindable: Yes
- Shareable: Yes
- Plan:
standard(free)
Binding credentials include:
id_url: URL endpoint for token generation
Plan metadata includes:
idb_api: Base URL of the ID Broker for reference
- go-we: Web framework with built-in security
- go-cfclient: Cloud Foundry API client
- go-uaa: UAA client library
- credhub-client: CredHub API client
- go-cfenv: CF environment parsing
GET /health- Anonymous health check endpoint (returns when server is running)