Identity Manager - Keyrock

FIWARE Security Support badge

This project is part of FIWARE. You will find more information about this FIWARE GE here.

  • You will find the source code of this project in GitHub here
  • You will find the documentation of this project in Read the Docs here

Welcome to the main repository for the UPM's implementation of the FIWARE Identity Management Generic Enabler. Thanks to this component and together with PEP Proxy and Authorization PDP GEs, you will add authentication and authorization security to your services and applications.

Currently, the main concepts of Keyrock are: - Users - Have a registered account in Keyrock. - Can manage organizations and register applications. - Organizations - Are group of users that share resources of an application (roles and permissions). - Users can be members or owners (manage the organization). - Applications. - It has the client role in the OAuth 2.0 architecture and will request protected user data. More information can be found in OAuth section - Are able to authenticate users using their Oauth credentials (id and secret) which unequivocally identify the application. - Define roles and permissions to manage authorization of users and organizations. - Can register Pep Proxy to protect backends. - Can register IoT Agents.

Software requirements

This GE is based on a javascript environment and SQL databases. In order to run the identity manager the following requirements must be installed:

  • node.js
  • npm
  • mysql-server (^5.7)

How to Build & Install

You can deploy your own Keyrock instance by following this steps:

  • Clone Proxy repository:
git clone https://github.com/ging/fiware-idm.git
  • Install the dependencies:
cd fiware-idm/
npm install
  • Duplicate config.template in config.js:
cp config.js.template config.js
  • Configure data base access credentials:
config.database = {
    host: 'localhost',           // default: 'localhost'
    password: 'idm',             // default: 'idm'
    username: 'root',            // default: 'root'
    database: 'idm',             // default: 'idm'
    dialect: 'mysql'             // default: 'mysql'
}
  • To configure the server to listen HTTPs requests, generate certificates OpenSSL and configure config.js:
./generate_openssl_keys.sh
config.https = {
    enabled: true,      //default: 'false'
    cert_file: 'certs/idm-2018-cert.pem',
    key_file: 'certs/idm-2018-key.pem',
    port: 443
}
  • Create database, run migrations and seeders:
npm run-script create_db
npm run-script migrate_db
npm run-script seed_db
  • Start server with admin rights (server listens in 3000 port by default or in 443 if HTTPs is enabled).
sudo npm start

You can test de Identity manager using the default user: - Email: admin@test.com - Password: 1234

Docker

We also provide a Docker image to facilitate you the building of this GE.

  • Here you will find the Dockerfile and the documentation explaining how to use it.
  • In Docker Hub you will find the public image.

Changes Introduced in 7.x

They biggest change introduced in 7.x is that the identity manager no longer depends on Openstack components Keystone and Horizon. Now is fully implemented in Node JS. Another remarkable changes have been made:

  1. A driver has been implemented in order to make authentication against another database different from the default one.+
  2. The appearance of the web portal can be easily modified though configurable themes.
  3. Now users don't need to switch session in order to create an application that will belong to an organization.
  4. Permissions of an application can be edited or deleted.

API Overview

Several resources could be managed through the API like users, applications or organizations. Further information could be found in the API section.

Finally, one of the main uses of this Generic Enabler is to allow developers to add identity management (authentication and authorization) to their applications based on FIWARE identity. This is posible thanks to OAuth2 protocol. For more information check the OAuth2 API.

Advanced Documentation

License

The MIT License

Copyright (C) 2018 Universidad Polit├ęcnica de Madrid.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.