DX-AAA is the Authentication, Authorization, and Accounting server for accessing DX services.
- Register for roles
- Get DX access tokens to consume resources
- Manage client credentials
- Manage delegations
- Register resource servers and manage APDs
- Search for users registered on the DX
- Make a config file based on the template in
./configs/config-example.json
- Setup the key used to sign JWT tokens
- Modify the database url and associated credentials in the appropriate sections
- Set up the database using Flyway
- Set up Keycloak
The Current Implementation of JWT in iudx-aaa-server is based on Vert.x vertx-auth-jwt
library. The Vert.x JWT implementation or any other Vertx security implementations generally requires a creation/implementation of security interface AuthenticationProvider, In JWT case it is JWTAuth as Authentication Provider
There are multiple types of signature methods used for signing JWT, and each of them either requires buffer or PKI or certificates, or jks for instantiating the Authentication Provider in Vertx.
The current implementation is based on asymmetric key algorithm ECDSA (Elliptic Curve Digital Signature Algorithm), and the signature method is ES256.
The Authentication Provider looks for aliases in the provided Keystore to verify and sign the generated JWT. The keystore and keypair should also be generated and signed using same algorithm which is required to sign and verify the JWT. For Signature algorithm ES256, the keystore alias is ES256.
The Keytool command to generate ECDSA keystore keypair is:
keytool -genkeypair -keystore keystore-ec.jks -storetype jks -storepass secret -keyalg EC -alias ES256 -keypass secret -sigalg SHA256withECDSA -dname "CN=,OU=,O=,L=,ST=,C=" -validity 360 -deststoretype pkcs12
The keystore path and the keystore password should then be added to the server config.
Flyway is used to manage the database schema and handle migrations. The migration files are located at src/main/resources/db/migrations. The following pre-requisites are needed before running flyway
:
- An admin user - a database user who has create schema/table privileges for the database. It can be the super user.
- An auth user - a database user with no privileges; this is the database user that will be configured to make queries from the server
(e.g.
CREATE USER auth WITH PASSWORD 'randompassword';
)
flyway.conf must be updated with the required data.
flyway.url
- the database connection URLflyway.user
- the username of the admin userflyway.password
- the password of the admin userflyway.schemas
- the name of the schema under which the tables are createdflyway.placeholders.authUser
- the username of the auth user
Please refer here for more information about Flyway config parameters.
After this, the info
command can be run to test the config. Then, the migrate
command can be run to set up the database. At the /iudx-aaa-server
directory, run
mvn flyway:info -Dflyway.configFiles=flyway.conf
mvn flyway:migrate -Dflyway.configFiles=flyway.conf
The database details should then be added to the server config.
The AAA server uses Keycloak to manage user identity. Please refer here to become familiar with Keycloak terminology.
-
The AAA server requires a client to be configured that would allow the server to interact with Keycloak. The client would be able to search for users on the configured Keycloak realm, as well as validate OIDC tokens issued by Keycloak from that realm. This client must have the capability to search for users and realms (In Service account roles -> client roles -> realm-management -> add view-users to Assigned roles)
-
Email as username
needs to be configured in theLogin
tab of the Realm settings.
The Keycloak URL and realm information along with the client IDs and client secret information should then be added to the server config.
- Install docker and docker-compose
- Clone this repo
- Build the images
./docker/build.sh
- Modify the
docker-compose.yml
file to map the config file you just created - Start the server in production (prod) or development (dev) mode using docker-compose
docker-compose up prod
- The server will be up on port 8080. To change the port, add
httpPort:<desired_port_number>
to the config in theApiServerVerticle
module. See configs/config-example.json for an example.
- Install java 11 and maven
- Set Environment variables
export AUTH_URL=http://<auth-domain-name>
export LOG_LEVEL=INFO
- Use the maven exec plugin based starter to start the server
mvn clean compile exec:java@aaa-server
- The server will be up on port 8080. To change the port, add
httpPort:<desired_port_number>
to the config in theApiServerVerticle
module. See configs/config-example.json for an example.
- Install java 11 and maven
- Set Environment variables
export AUTH_URL=http://<auth-domain-name>
export LOG_LEVEL=INFO
- Use maven to package the application as a JAR
mvn clean package -Dmaven.test.skip=true
- 2 JAR files would be generated in the
target/
directoryiudx.aaa.server-cluster-0.0.1-SNAPSHOT-fat.jar
- clustered vert.x containing micrometer metricsiudx.aaa.server-dev-0.0.1-SNAPSHOT-fat.jar
- non-clustered vert.x and does not contain micrometer metrics
Note: The clustered JAR requires Zookeeper to be installed. Refer here to learn more about how to set up Zookeeper. Additionally, the zookeepers
key in the config being used needs to be updated with the IP address/domain of the system running Zookeeper.
The JAR requires 3 runtime arguments when running:
- --config/-c : path to the config file
- --hostname/-i : the hostname for clustering
- --modules/-m : comma separated list of module names to deploy
e.g.
java -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.Log4j2LogDelegateFactory -jar target/iudx.aaa.server-cluster-0.0.1-SNAPSHOT-fat.jar --host $(hostname) -c configs/config.json -m iudx.aaa.server.admin.AdminVerticle,iudx.aaa.server.token.TokenVerticle,iudx.aaa.server.registration.RegistrationVerticle,iudx.aaa.server.auditing.AuditingVerticle
Use the --help/-h
argument for more information. You may additionally append an AUTH_JAVA_OPTS
environment variable containing any Java options to pass to the application.
e.g.
$ export AUTH_JAVA_OPTS="-Xms128m -Xmx512m"
$ java $AUTH_JAVA_OPTS -jar target/iudx.aaa.server-cluster-0.0.1-SNAPSHOT-fat.jar ...
The JAR requires 1 runtime argument when running:
- --config/-c : path to the config file
e.g.
java -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.Log4j2LogDelegateFactory -jar target/iudx.aaa.server-dev-0.0.1-SNAPSHOT-fat.jar -c configs/config.json
Use the --help/-h
argument for more information. You may additionally append an AUTH_JAVA_OPTS
environment variable containing any Java options to pass to the application.
e.g.
$ export AUTH_JAVA_OPTS="-Xms128m -Xmx512m"
$ java $AUTH_JAVA_OPTS -jar target/iudx.aaa.server-dev-0.0.1-SNAPSHOT-fat.jar ...
- Run the server through either docker, maven or redeployer
- Run the all unit tests for a Service
mvn -Dtest=TokenServiceTest test
- Run the unit tests for a method in a Service
mvn -Dtest=TokenServiceTest#validateTokenSuccess test
- Run the server through either docker, maven or redeployer
- Run the unit tests and generate a surefire report
mvn clean test-compile surefire:test surefire-report:report
- Reports are stored in
./target/
Postman collection and enviroment files can be found at src/main/resources/postman.
For contribution guidelines, see CONTRIBUTING.