-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into fix/issue52
- Loading branch information
Showing
6 changed files
with
59 additions
and
67 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,3 @@ | ||
# INDIGO Identity and Access Management service | ||
|
||
This is the INDIGO Identity and Access Management service code repository. | ||
|
||
# Summary | ||
|
||
* [Release notes](CHANGELOG.md) | ||
* [About Indigo IAM](doc/about.md) | ||
* [Developer guide](doc/developer.md) | ||
* [Deployment and Administration guide](doc/admin.md) | ||
* [User guide](doc/user.md) | ||
The INDIGO IAM (Identity and Access Management service) provides user identity and policy information to services so that consistent authorization decisions can be enforced across distributed services. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
## OAuthN Token exchange support | ||
|
||
The current release of Indigo IAM implements an essential set of feature of the | ||
[Token Exchange OAuth specification](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05). | ||
Indigo IAM supports only impersonation semantic: delegation is not yet supported. | ||
|
||
### Configuration | ||
Clients that request Token Exchange must be configured with | ||
the `urn:ietf:params:oauth:grant-type:token-exchange` grant type enabled. | ||
|
||
### Usage | ||
A client who wants to exchange an access token with a new one, must send a request to the `/token` endpoint, | ||
with the properties described below: | ||
|
||
1. Supply its valid access token in `subject_token` request field. | ||
2. Specify a valid client_id in `audience` field: this is the ID of the target resource which client wants to access. | ||
3. Requested scopes must be a subset of the scopes enabled on the client specified as `audience`. | ||
|
||
There are some scopes that are considered "specials". | ||
They are identity, refresh and SCIM related scopes: | ||
|
||
`openid`, `profile`, `email`, `address`, `phone`, `offline_access`, `scim:read`, `scim:write` | ||
|
||
These scopes, in order to be "exchanged" across services, need to be present in the set of | ||
scopes linked to the subject token that is presented for the exchange. | ||
|
||
|
||
### Limitation and known issues | ||
The current implementation of Token Exchange in Indigo IAM, has some limitations. | ||
|
||
* Delegation is not yet supported: if `actor_token` or the flag `want_composite` are specified within the request, an error | ||
response is returned by the authorization server. | ||
* The `audience` field is mandatory and not optional, as mentioned into the specification: it must be a valid client identifier. | ||
* The `resource` field is ignored. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
## OpenID-connect Authorization Server | ||
|
||
The IAM is based on the [MitreID-connect server application][mitre], so refer | ||
to the [mitre documentation][mitre-doc] for help on client management and other | ||
[APIs][mitre-doc-api] that are exposed by the service. | ||
|
||
[mitre]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server | ||
[mitre-doc]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki | ||
[mitre-doc-api]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/API |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters