This repository is part of the commercial open source project CZERTAINLY. You can find more information about the project at CZERTAINLY repository, including the contribution guide.

Auth service is designed as a central service for managing access control to different resources and related actions and objects, and identify users based on identification token.

Auth service offers the following functionality:

• identification of user
• management of roles
• management of users and their roles membership
• management of resources and related actions
• management of role permissions for specific resources and related actions
• issuing authorization tokens

User can belong to multiple roles and permissions are merged in this case from all assigned roles.

Note The authorization is performed by the OPA. The Auth service manages users, roles, and associated permissions that can be assigned to users.

Users can be identified based on identification token provided in this order:

1. X.509 certificate
2. JSON ID
3. Username of system user

After successful identification, user details with its merged role permissions is returned. If none of the above specified data is present, user is identified as anonymous user with limited permissions.

When identifying user with certificate, its content string is decoded and parsed. Afterwards it is verified if it is valid and trusted.

Then, based on its fingerprint, it is mapped to user from database and return authentication response. The certificate can be assigned to maximum of 1 user.

When identifying user with JSON ID, it is decoded and must conform to the required structure. Username specified in the JSON ID is used as unique information based on which user is identified.

Auth service can be further configured to create user or role, if it does not exist.

Username is used only for internal identification of system users to elevate permissions and perform actions that are otherwise subject to authorization. This is not exposed for the external systems.

This service does not evaluate permissions. The authorization is controlled by the Open Policy Agent. For more information, refer to CZERTAINLY Documentation.

Auth service is provided as a Docker container. Use the 3keycompany/czertainly-auth:tagname to pull the required image from the repository. It can be configured using the following environment variables:

Variable	Description	Required	Default value
AUTH_DB_CONNECTION_STRING	Connection string for database access		N/A
AUTH_CREATE_UNKNOWN_USERS	Unknown user with username specified in JSON authentication token will be created		false
AUTH_CREATE_UNKNOWN_ROLES	Unknown role with name specified in JSON authentication token will be created and assigned to user		false