Generic Identity And Access Management

SunbirdRC was tightly coupled with keycloak for authentication & authorization of users. Currently, SunbirdRC is updated to support any identity layer (oauth2 compliant) for IAM

Generic IAM is part of release-1.0.0

SunbirdRC requires an IAM platform for mainly two purposes.

  1. authN & authZ of users to enable trust between the user and the entity.

  2. to manage user accounts for the entities created

Below steps will enable authenticating and authorizing tokens generated from any oauth2 complaint IAM service

  • Configure the below environment variables for the registry core service

- oauth2_resource_uri=https://domain/auth/
- oauth2_resource_email_path=email
- oauth2_resource_consent_path=consent
- oauth2_resource_roles_path=realm_access.roles
- oauth2_resource_entity_path=entity

oauth2_resource_uri should be configured with the domain url of the IAM service

Example value

Keycloak: `https://keycloak-domain/auth/realms/sunbird-rc`

Auth0: `https://xxxx.us.auth0.com/` (API Domain)

Fusionauth: `http://domain/` (The value of the issuer configured in the tenant page)

oauth2_resource_email_path should be configured with the path to be used for fetching email id from the token

oauth2_resource_consent_path (OPTIONAL) should be configured with the path to be used for fetching consent fields from the token

oauth2_resource_roles_path should be configured with the path to be used for fetching roles from the token

oauth2_resource_entity_path (OPTIONAL) should be configured with the path to be used for fetching entities from the token

Steps to enable creating user accounts in any IAM platform

Currently, one needs to write a custom implementation to support creating users in the respective IAM platforms. SunbirdRC provided two ways to configure it:

1. Sub module in Sunbird RC

Currently, SunbirdRC is shipped with two submodules (Keycloak & auth0) to integrate with IAM platform. https://github.com/Sunbird-RC/sunbird-rc-core/tree/main/java/middleware/registry-middleware. If you need support for any other platform then you would need to create a module in a similar fashion. You need to configure the below env with respective values

identity_provider: dev.sunbirdrc.auth.keycloak.KeycloakProviderImpl (Replace the value with your package name)
sunbird_sso_url: http://localhost:8080/auth/ (IAM url)
sunbird_sso_realm: (Optional)
sunbird_sso_admin_client_id: (Optional)
sunbird_sso_admin_client_secret: (Optional)
sunbird_keycloak_user_set_password: (Optional)
sunbird_keycloak_user_password: (Optional)
identity_user_actions: (Optional)

The module needs to be added to the core registry and you need to build a custom docker image and use it in your application.

Steps to create a submodule in SunbirdRC:

2. Wrapper service

Instead of creating a module in the core service, you can create an external/custom service which exposes an API to create users in your IAM platform.

The API should follow this API spec: https://github.com/Sunbird-RC/sunbird-rc-core/blob/6a99ab9d564ef0518ff5fa8f6730a58e51808f6d/services/sample-fusionauth-service/api-spec.yml

A sample service to create a user in FusionAuth is provided. https://github.com/Sunbird-RC/sunbird-rc-core/tree/6a99ab9d564ef0518ff5fa8f6730a58e51808f6d/services/sample-fusionauth-service

You need to configure the below env with respective values

identity_provider: dev.sunbirdrc.auth.genericiam.AuthProviderImpl
sunbird_sso_url: http://localhost:8080/auth/ (Replace the value with your service endpoint)

Last updated