Sunbird RC (Registry & Credential)
  • Learn
    • Introduction
    • Sunbird RC Overview
      • Why do we need Sunbird RC?
      • Core Capabilities
      • Core Registry Verbs
      • Workflows
      • What Sunbird RC is and what it's not? (WIP)
      • Possibilities
      • Demo Links
    • Technical Overview
      • High level architecture
      • Technical Specification Draft
      • Tech Stack and Requirements
    • Adopters
    • Roadmap
  • Use
    • Getting started
      • Pre-requisites
      • Installation Guide
        • Registry CLI
          • Setup A Registry Instance
        • Manual installation through docker-compose
        • Production setup through Helm
    • Developer's Guide
      • Configurations
        • Frontend Configurations
        • Frontend - Proxy configuration
        • Audit Configuration
        • Notifications Configuration
        • View Templates Configuration
      • Schema Setup
        • Introduction To Schemas
        • Creating Your Own Schemas
        • Schema Configuration
        • Create Schemas With Custom Password
      • Setup the Backend
      • Setup the Frontend
      • Backup and Restore
        • PostgreSQL
          • SQL Dump
          • File System Level Backup
          • Continuous Archiving and Point-in-Time Recovery (PITR)
        • Cassandra
          • Snapshot-based backup method
          • Incremental backup method
          • Data Restore
      • Generic Identity And Access Management
      • Metrics
      • Custom Keycloak Build
      • Custom QR Code design
      • VC Verification Module
    • Integrations
      • SSO with existing systems
      • Digilocker Meripehchaan SSO
      • Digilocker Integration
    • Release Notes
      • Latest Release - v1.0.0
    • Admin Portal
      • Login
      • Get Started
        • Create Schema
        • Attestation Workflows (WIP)
        • VC Template
          • Custom VC Template (WIP)
        • Ownership (WIP)
        • Publish (WIP)
      • Dashboard
  • API Reference
    • Registry
      • Using The APIs
      • Create An Entity
      • Invite An Entity
      • Generate token
      • Generate admin token
      • Get An Entity
      • Get An Entity By Id
      • Update An Entity
      • Create A Property Of An Entity
      • Update A Property Of An Entity
      • Revoke a Credential
      • Delete An Entity
    • Schema
      • Create Schema
      • Get Schema
      • Update Schema
      • Delete Schema
      • Publish A Schema
    • Attestation API
      • Raise An Attestation
      • Get Attestation Certificate
    • Claims API
      • Get All Claims
      • Get Claim by ID
      • Attest A Claim
    • Discovery API
      • Search An Entity
    • File Storage API
      • Upload A File
      • Get Uploaded File
      • Delete A File/ Multiple Files
    • Bulk Issuance API
      • Get Sample Template
      • Upload CSV
      • Get all uploaded Files
      • Download a Report File
    • Metrics APIs
      • Get Count
      • Get Aggregates
    • Other APIs
      • Sign API
      • Verify API
      • Swagger JSON API
      • Health API
  • Reference Solutions for Functional Registries
    • Education
      • Education Ecosystem
        • Installation
      • Education Registries
        • Installation
    • Health Registries
      • Organ Registries
        • Frontend Setup
        • Backend Setup
        • User Guide
      • Health Facility Registry
    • Govt to Person (G2P)
  • Reference Solution for Digital Credentials
    • Certificate Issuance
      • Installation(WIP)
      • User Guide
    • Vaccination Platform
    • Unified Learners Passport (ULP)
      • ULP Capabilities
      • Example Scenario
      • Technical Components (WIP)
      • Demo/Sandbox Links (WIP)
      • Installation Guide (WIP)
        • Frontend Setup
        • Installation through docker-compose
        • Dummy records setup for refrence
    • eLocker
      • High Level Diagram
      • Installation (WIP)
        • Frontend Setup E-locker
      • User Guide
    • Skills & Work Credentials
  • Links
    • Source Code
    • Releases & Changelogs
    • Website
    • Roadmap
    • Reference links
    • Design
  • Community
    • Discussion Forum
    • Contributors
    • Contributing
    • Contribution Guidebook
    • Code of Conduct
    • Community Events
    • Status By Track
  • HELP
    • Roadmap
    • FAQs
    • Glossary
    • Guide to Electronic Registries and Verifiable Credentials
      • Verifiable Credentials
        • What issues will Verifiable Credentials address?
        • What are the key roles in Verifiable Credentials?
        • What are the components of Verifiable Credentials?
        • What are the benefits of Verifiable Credentials?
        • Digital Credentials vs Verifiable Credentials
        • QR code vs Verifiable QR code
        • Use Cases
      • Electronic Registries
        • Evolution of Electronic Registries
        • What issues will Electronic Registries address?
        • Benefits of Electronic Registries
        • Registry vs Database
        • Design Principles
        • Use Cases
      • Leveraging Existing data stores
    • External Open Source Software Attributions
Powered by GitBook
On this page
  • Below steps will enable authenticating and authorizing tokens generated from any oauth2 complaint IAM service
  • Steps to enable creating user accounts in any IAM platform
  • 1. Sub module in Sunbird RC
  • 2. Wrapper service

Was this helpful?

Edit on GitHub
  1. Use
  2. Developer's Guide

Generic Identity And Access Management

SunbirdRC was tightly coupled with keycloak for authentication & authorization of users. Currently, SunbirdRC is updated to support any identity layer (oauth2 compliant) for IAM

PreviousData RestoreNextMetrics

Last updated 1 year ago

Was this helpful?

Generic IAM is part of release-1.0.0

SunbirdRC requires an IAM platform for mainly two purposes.

  1. authN & authZ of users to enable trust between the user and the entity.

  2. to manage user accounts for the entities created

Below steps will enable authenticating and authorizing tokens generated from any oauth2 complaint IAM service

  • Configure the below environment variables for the registry core service

- oauth2_resource_uri=https://domain/auth/
- oauth2_resource_email_path=email
- oauth2_resource_consent_path=consent
- oauth2_resource_roles_path=realm_access.roles
- oauth2_resource_entity_path=entity

oauth2_resource_uri should be configured with the domain url of the IAM service

Example value

Keycloak: ``

Auth0: `/` (API Domain)

Fusionauth: `http://domain/` (The value of the issuer configured in the tenant page)

oauth2_resource_email_path should be configured with the path to be used for fetching email id from the token

oauth2_resource_consent_path (OPTIONAL) should be configured with the path to be used for fetching consent fields from the token

oauth2_resource_roles_path should be configured with the path to be used for fetching roles from the token

oauth2_resource_entity_path (OPTIONAL) should be configured with the path to be used for fetching entities from the token

Steps to enable creating user accounts in any IAM platform

Currently, one needs to write a custom implementation to support creating users in the respective IAM platforms. SunbirdRC provided two ways to configure it:

1. Sub module in Sunbird RC

identity_provider: dev.sunbirdrc.auth.keycloak.KeycloakProviderImpl (Replace the value with your package name)
sunbird_sso_url: http://localhost:8080/auth/ (IAM url)
sunbird_sso_realm: (Optional)
sunbird_sso_admin_client_id: (Optional)
sunbird_sso_admin_client_secret: (Optional)
sunbird_keycloak_user_set_password: (Optional)
sunbird_keycloak_user_password: (Optional)
identity_user_actions: (Optional)

The module needs to be added to the core registry and you need to build a custom docker image and use it in your application.

Steps to create a submodule in SunbirdRC:

  • Update identity_provider env with the provider package name\

2. Wrapper service

Instead of creating a module in the core service, you can create an external/custom service which exposes an API to create users in your IAM platform.

You need to configure the below env with respective values

identity_provider: dev.sunbirdrc.auth.genericiam.AuthProviderImpl
sunbird_sso_url: http://localhost:8080/auth/ (Replace the value with your service endpoint)

Currently, SunbirdRC is shipped with two submodules (Keycloak & auth0) to integrate with IAM platform. . If you need support for any other platform then you would need to create a module in a similar fashion. You need to configure the below env with respective values

Create a in java/middleware/registry-middleware

Implement this provider , which returns the IdentityManager which handles user creation functionality. (Example )

The IdentityManager should implement the , which handles user creation and returns the user id. (Example: )

A Service Provider is configured and identified through a provider configuration file which we put in the resource directory META-INF/services. The file name is the fully-qualified name of the SPI and its content is the fully-qualified name of the SPI implementation. (Example: )

The API should follow this API spec:

A sample service to create a user in FusionAuth is provided.

https://keycloak-domain/auth/realms/sunbird-rc
https://xxxx.us.auth0.com
https://github.com/Sunbird-RC/sunbird-rc-core/tree/main/java/middleware/registry-middleware
submodule
https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/identity-provider/src/main/java/dev/sunbirdrc/registry/identity_providers/providers/IdentityProvider.java
https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/keycloak/src/main/java/dev/sunbirdrc/auth/keycloak/KeycloakProviderImpl.java
https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/identity-provider/src/main/java/dev/sunbirdrc/registry/identity_providers/pojos/IdentityManager.java
https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/keycloak/src/main/java/dev/sunbirdrc/auth/keycloak/KeycloakAdminUtil.java
https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/keycloak/src/main/resources/META-INF/services/dev.sunbirdrc.registry.identity_providers.providers.IdentityProvider
https://github.com/Sunbird-RC/sunbird-rc-core/blob/6a99ab9d564ef0518ff5fa8f6730a58e51808f6d/services/sample-fusionauth-service/api-spec.yml
https://github.com/Sunbird-RC/sunbird-rc-core/tree/6a99ab9d564ef0518ff5fa8f6730a58e51808f6d/services/sample-fusionauth-service