Cloud Identity Manager (cidm) will take care of Authentication and Authorization mechanism as a service for a suite of services.
Actors
-
User client . Actions executed via Web Browser for login only , this actions get translated to REST calls.
-
Service clients (micro services), executed via SSL or any other secure method inside the Customer instance. High level flow
-
User client enters their login credentials
-
Identity Manager Server verifies the credentials are correct and returns a signed JWT token .
-
This token is stored client-side, most commonly in Web Browser local storage .
-
Subsequent User clients requests to the API Gateway server include this token as an additional Authorization header.
-
API Gateway server handover the request to Identity Manager Server decodes the JWT and if the token is valid processes the request
-
Once a user logs out, the token is destroyed client-side, no interaction with the server is necessary.
Token-based authentication is stateless. The server does not keep a record of which users are logged in or which JWTs have been issued (at least not explicitly). Instead, every request to the server is accompanied by a token which the server uses to verify the authenticity of the request. The token is generally sent as an addition Authorization header in form of Bearer {JWT} JWT has three distinct parts that are URL encoded for transport:
- Header: The header contains the metadata for the token and at a minimal contains the type of the signature and/or encryption algorithm
- Claims: The claims contains any information that you want signed
- JSON Web Signature (JWS): The headers and claims digitally signed using the algorithm in the specified in the header
Example of JWT Token
//header
{
"alg": "HS256", //algorithm
"typ": "JWT" //denotes the type (shorthand typ) of token this is
}
//claims
{
"sub": "[email protected]",
"name": "Tom Abbott",
"role": "user"
}
REST API, full programatic access to the internals makes it easy to manage your API users, keys and API Configuration from within your systems
Implement simple schema for authorization, based on this principle : who can use Role X to Action on Resoruce Y .
Roles:
- (GET)roles.Read (resource uri level)
- (PUT) roles.Update
- (POST)roles.Create
- (DELETE)roles.Delete
Resource: defined by Service level
- Authentication with OAuth 2
- Basic schema for authorization .
Install postgresql, reference
Connect to the data base and run the data base creation script available in
/resource/sql/initdb.sql
In Google cloud console go to API & Services > OAuth 2.0 client IDs
Update dependencies with dep
dep ensure
Build docker
docker build -t cimd .
Run docker
docker run --publish 30030:8080 --name cimd --rm cimd
Run install
go install github.com/craguilar/cidm/cmd/cidm-server
See code hints TODO , for pending actions on this project.