Skip to content

DOME-Marketplace/iam-components

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

74 Commits
.github/workflows
.github/workflows
 
 
charts/iam-components
charts/iam-components
 
 
doc
doc
 
 
it
it
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

The DOME IAM-components

License Test

The DOME IAM-Framework is a set of microservices, that enables users in the DOME ecosystem to authenticate into the DOME Marketplace.

💡 For detailed information on how to integrate with the DOME Marketplace, check the Integration Guide

Components

The DOME IAM-Framework consists of multiple open-source components. The components are not required to be used, as long as alternatives providing the same interfaces are used.

The IAM-Framework consists of following components:

IAM-components

Trusted Issuers List

The Trusted-Issuers-List service provides an EBSI Trusted Issuers Registry implementation to act as the Trusted-List-Service in the DSBA Trust and IAM Framework. In addition, a Trusted-Issuers-List API is provided to manage the issuers.

VCVerifier

VCVerifier provides the necessary endpoints to offer SIOP-2/OIDC4VP compliant authentication flows. It exchanges VerifiableCredentials for JWT, that can be used for authorization and authentication in down-stream components.

Credentials Config Service

Credentials Config Service manages and provides information about services and the credentials they are using. It returns the scope to be requested from the wallet per service and the credentials and issuers that are considered to be trusted for a certain service.

Keycloak-VC-Issuer

The Keycloak-VC-Issuer is plugin for Keycloak to support SIOP-2/OIDC4VP clients and issue VerifiableCredentials through the OIDC4VCI-Protocol to compliant wallets.

PDP

Implementation of a Policy-Decision Point, evaluating Json-Web-Tokens containing VerifiableCredentials in a DSBA-compliant way. It also supports the evaluation in the context of i4Trust.

Keyrock

Keyrock is the FIWARE component responsible for Identity Management. Using Keyrock (in conjunction with other security components) enables you to add OAuth2-based authentication and authorization security to your services and applications.

Kong Plugins

These allow to extend the API Gateway Kong by further functionalities required for FIWARE-based environments. Kong Gateway is a lightweight, fast, and flexible cloud-native API gateway. An API gateway is a reverse proxy that lets you manage, configure, and route requests to your APIs.

Deployment

It's recommended to install the IAM-components on Kubernetes(> 1.26.7), using Helm. For alternative installations, see the individual components' documentation.

💡 An example of a federated marketplace, deployed on top of amanaged Kubernetes by IONOS can be found in DOME-Gitops

Install

The IAM-components are provided as an Umbrella Chart, containing dependencies to all mentioned components, allowing to install them all at once:

helm repo add dome-iam https://dome-marketplace.github.io/iam-components
helm install <RELEASE_NAME> dome-iam/iam-components

💡 All releases of the IAM-components reside in the helm-repository https://dome-marketplace.github.io/iam-components. In addition to that, all Pre-Release versions (build from the Pull Requests) are provided in the pre-repo https://dome-marketplace.github.io/iam-components/pre. The pre-repo will be cleaned-up from time to time, in order to keep the index manageable.

It provides a sane set of default-values. To actually use the IAM-components the following values have to be replaced:

  • rbac and serviceAccount: Depending on your requirements, you might need to adapt settings for RBAC and service account
  • ingress or route: You need to set up these settings to make a component externally accessible
  • dids of participants: Replace/add the DIDs of the issuer and other participants
  • Provide correct key in keyfile.json for your issuer
  • keycloak.frontendUrl: Externally accessible address of the keycloak (should be the same as defined in ingress/route)
  • keycloak.realm: Adapt clients, users and roles according to your needs
  • tir.com: replace everywhere with actual TIR
  • keyrock.initData.scriptData: Adapt the roles as in keycloak realm
  • kong.configMap: Adapt the kong services and their routes

Test

The Helm-Chart is integration-tested with a local k3s-instance.

The test uses the following tools:

The test-setup looks as following:

Test Setup

Run the tests

To execute all tests, run:

mvn clean integration-test

Extend the tests

The definition of features is available under the test-resources. Steps can be added to the StepDefinitions or through a new class.

CI

The IAM-components repository uses a CI-Pipeline to deliver the Helm-Chart as a tested and versioned component.

The CI is set up as following:

  • integration-tests are executed on every push
  • on every PR to main, the CI checks if anything inside the /charts/iam-components folder was changed
    • if false: skip release and allow merging to main
    • if true:
  • on push-to-main (e.g. merged PR), the CI checks if anything inside the /charts/iam-components folder was changed
    • if false: skip release and allow merging to main
    • if true:
      • generate the new version, based on the tag assigned to the PR (patch,minor,major)
      • set the version to the Chart.yaml
      • generate the updated documentation
      • add the chart to the helm-repo(https://dome-marketplace.github.io/iam-components)
      • create a tag and a GitHub release

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 17

iam-components-0.0.1-PRE-8 Latest
Jun 5, 2024
+ 16 releases

Packages

No packages published

Languages