Skip to content

Commit

Permalink
Merge branch 'master' into fix/issue52
Browse files Browse the repository at this point in the history
  • Loading branch information
enricovianello committed Oct 18, 2016
2 parents 9dc48ed + 93ef415 commit 57f1b02
Show file tree
Hide file tree
Showing 6 changed files with 59 additions and 67 deletions.
10 changes: 1 addition & 9 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,3 @@
# INDIGO Identity and Access Management service

This is the INDIGO Identity and Access Management service code repository.

# Summary

* [Release notes](CHANGELOG.md)
* [About Indigo IAM](doc/about.md)
* [Developer guide](doc/developer.md)
* [Deployment and Administration guide](doc/admin.md)
* [User guide](doc/user.md)
The INDIGO IAM (Identity and Access Management service) provides user identity and policy information to services so that consistent authorization decisions can be enforced across distributed services.
5 changes: 4 additions & 1 deletion SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,7 @@
* [About Indigo IAM](doc/about.md)
* [Developer guide](doc/developer.md)
* [Deployment and Administration guide](doc/admin.md)
* [User guide](doc/user.md)
* [User guide](doc/user-guide/README.md)
* [OpenID-connect Authorization Server](doc/user-guide/oidc_auth_server.md)
* [OAuthN Token exchange support](doc/user-guide/oauthn_token_exchange.md)
* [SCIM API reference](doc/user-guide/scim_api.md)
1 change: 1 addition & 0 deletions doc/user-guide/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

34 changes: 34 additions & 0 deletions doc/user-guide/oauthn_token_exchange.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
## OAuthN Token exchange support

The current release of Indigo IAM implements an essential set of feature of the
[Token Exchange OAuth specification](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05).
Indigo IAM supports only impersonation semantic: delegation is not yet supported.

### Configuration
Clients that request Token Exchange must be configured with
the `urn:ietf:params:oauth:grant-type:token-exchange` grant type enabled.

### Usage
A client who wants to exchange an access token with a new one, must send a request to the `/token` endpoint,
with the properties described below:

1. Supply its valid access token in `subject_token` request field.
2. Specify a valid client_id in `audience` field: this is the ID of the target resource which client wants to access.
3. Requested scopes must be a subset of the scopes enabled on the client specified as `audience`.

There are some scopes that are considered "specials".
They are identity, refresh and SCIM related scopes:

`openid`, `profile`, `email`, `address`, `phone`, `offline_access`, `scim:read`, `scim:write`

These scopes, in order to be "exchanged" across services, need to be present in the set of
scopes linked to the subject token that is presented for the exchange.


### Limitation and known issues
The current implementation of Token Exchange in Indigo IAM, has some limitations.

* Delegation is not yet supported: if `actor_token` or the flag `want_composite` are specified within the request, an error
response is returned by the authorization server.
* The `audience` field is mandatory and not optional, as mentioned into the specification: it must be a valid client identifier.
* The `resource` field is ignored.
9 changes: 9 additions & 0 deletions doc/user-guide/oidc_auth_server.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
## OpenID-connect Authorization Server

The IAM is based on the [MitreID-connect server application][mitre], so refer
to the [mitre documentation][mitre-doc] for help on client management and other
[APIs][mitre-doc-api] that are exposed by the service.

[mitre]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
[mitre-doc]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki
[mitre-doc-api]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/API
67 changes: 10 additions & 57 deletions doc/user.md → doc/user-guide/scim_api.md
Original file line number Diff line number Diff line change
@@ -1,46 +1,3 @@
# User guide

## OpenID-connect Authorization Server

The IAM is based on the [MitreID-connect server application][mitre], so refer
to the [mitre documentation][mitre-doc] for help on client management and other
[APIs][mitre-doc-api] that are exposed by the service.

## OAuthN Token exchange support

The current release of Indigo IAM implements an essential set of feature of the
[Token Exchange OAuth specification](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05).
Indigo IAM supports only impersonation semantic: delegation is not yet supported.

### Configuration
Clients that request Token Exchange must be configured with
the `urn:ietf:params:oauth:grant-type:token-exchange` grant type enabled.

### Usage
A client who wants to exchange an access token with a new one, must send a request to the `/token` endpoint,
with the properties described below:

1. Supply its valid access token in `subject_token` request field.
2. Specify a valid client_id in `audience` field: this is the ID of the target resource which client wants to access.
3. Requested scopes must be a subset of the scopes enabled on the client specified as `audience`.

There are some scopes that are considered "specials".
They are identity, refresh and SCIM related scopes:

`openid`, `profile`, `email`, `address`, `phone`, `offline_access`, `scim:read`, `scim:write`

These scopes, in order to be "exchanged" across services, need to be present in the set of
scopes linked to the subject token that is presented for the exchange.


### Limitation and known issues
The current implementation of Token Exchange in Indigo IAM, has some limitations.

* Delegation is not yet supported: if `actor_token` or the flag `want_composite` are specified within the request, an error
response is returned by the authorization server.
* The `audience` field is mandatory and not optional, as mentioned into the specification: it must be a valid client identifier.
* The `resource` field is ignored.

## SCIM API reference

The IAM server has a RESTful API that is used to manage users, change their personal information, add or remove them from a group, add Open ID Connect accounts, x509 certificates, ssh keys, ecc.
Expand Down Expand Up @@ -396,11 +353,11 @@ Request params:

Requires `ROLE_ADMIN` or scope `scim:write`.

PUT performs a full update.
Clients should retrieve the entire resource and then PUT the desired modifications as the operation
overwrites all previously stored data.
A successful PUT operation returns a 200 OK response code and the entire
resource within the response body.
PUT performs a full update.
Clients should retrieve the entire resource and then PUT the desired modifications as the operation
overwrites all previously stored data.
A successful PUT operation returns a 200 OK response code and the entire
resource within the response body.

Example of changing the userName from `john_lennon` to `j.lennon` and setting `active` as true:

Expand Down Expand Up @@ -500,8 +457,8 @@ Requires `ROLE_ADMIN` or scope `scim:write`.

PATCH enables consumers to send only the attributes requiring modification, reducing network and processing overhead.
Attributes may be deleted, replaced, merged, or added in a single request.
The body of a PATCH request MUST contain a partial resource with the desired modifications.
The server MUST return either a 200 OK response code and the entire Resource within the response body,
The body of a PATCH request MUST contain a partial resource with the desired modifications.
The server MUST return either a 200 OK response code and the entire Resource within the response body,
or a 204 No Content response code and the appropriate response headers for a successful PATCH request.

The following example shows how to replace the userName:
Expand Down Expand Up @@ -703,9 +660,9 @@ GET http://localhost:8080/scim/Groups?startIndex=22&count=1

Requires `ROLE_ADMIN` or scope `scim:write`.

PUT performs a full update. Clients should retrieve the entire resource and then PUT the desired modifications
as the operation overwrites all previously stored data.
A successful PUT operation returns a 200 OK response code and the entire resource within the response body.
PUT performs a full update. Clients should retrieve the entire resource and then PUT the desired modifications
as the operation overwrites all previously stored data.
A successful PUT operation returns a 200 OK response code and the entire resource within the response body.

Example of replacing group with a different displayName:

Expand Down Expand Up @@ -790,7 +747,3 @@ GET /scim/Groups/5bae2407-08e3-4171-b180-4b4a0196e7b6
]
}
```

[mitre]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
[mitre-doc]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki
[mitre-doc-api]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/API

0 comments on commit 57f1b02

Please sign in to comment.