The FIWARE Decentralized Identity and Access Management (decentralized-aim) is an integrated suite of components designed to facilitate authentication using Verifiable Credentials (VCs) and authorization based on ODRL policies.
This repository provides a description of the FIWARE decentralized IAM, its technical implementation and deployment recipes.
This project is part of FIWARE. For more information check the FIWARE Catalogue entry for Security.
| 📚 Documentation | 🎯 Roadmap |
|---|
Table of Contents
Table of Contents
The FIWARE decentralized IAM solution enables secure and decentralized authentication mechanisms by leveraging Verifiable Credentials (VCs) and authorization based on attribute-based access control. More specifically, it allows to:
- Interface with Trust Services aligned with EBSI specifications
- Implement authentication based on W3C DID with VC/VP standards and SIOPv2 / OIDC4VP protocols
- Implement authorization based on attribute-based access control (ABAC) following an XACML P*P architecture using Open Digital Rights Language (ODRL) and the Open Policy Agent (OPA)
Technically, the FIWARE decentralized IAM is a
Helm Umbrella-Chart,
containing all the sub-charts and their dependencies for deployment via Helm (i.e. decentralized-iam and odrl-authorization charts).
Thus, being provided as Helm chart, the FIWARE decentralized IAM can be deployed on
Kubernetes environments.
The FIWARE decentralized IAM uses a continious integration flow, where every merge to the main-branch triggers a new release. Versioning follows Semantic Versioning 2.0.0, therefor only major changes will contain breaking changes. Important releases will be listed below, with additional information linked:
⚠️ Thedeploydirectory in the repository contains everything necessary to set up the local deployment, with all required dependencies ready for use. However, thedeploydirectory must not be used as is for deployments in real or production environments.
⚠️ The passwords used in thedeployconfig dir for the local deployment, although they may appear secure, have been provided for the sake of greater reproducibility (to prevent consecutive deployments from modifying the stored and configured credentials, thus avoiding errors). However, under no circumstances should they be used in real or production environments.
The FIWARE decentralized IAM provides a minimal local deployment setup intended for development and testing purposes.
The requirements for the local deployment are:
In order to interact with the system, the following tools are also helpful:
⚠️ In current Linux installations,br_netfilteris disabled by default. That leads to networking issues inside the k3s cluster and will prevent the connector to start up properly. Make sure that its enabled viamodprobe br_netfilter. See Stackoverflow for more.
To start the deployment, just use:
mvn clean deploy -PlocalThe decentralized-iam is a Helm Umbrella-Chart, containing all the sub-charts of the different components and their dependencies. Its sources can be found here.
The chart is available at the repository https://fiware.github.io/decentralized-iam/. You can install it via:
# add the repo
helm repo add decentralized-iam https://fiware.github.io/decentralized-iam/
# install the chart
helm install <DeploymentName> decentralized-iam/decentralized-iam -n <Namespace> -f values.yamlNote, that due to the app-of-apps structure of the deployment and the different dependencies between the components, a deployment without providing any configuration values will not work. Make sure to provide a
values.yaml file for the deployment, specifying all necessary parameters. This includes setting parameters of the endpoints, DNS information (providing Ingress or OpenShift Route parameters),
structure and type of the required VCs, internal hostnames of the different components and providing the configuration of the DID and keys/certs.
Configurations for all sub-charts (and sub-dependencies) can be managed through the top-level values.yaml of the chart. It contains the default values of each component and additional parameter shared between the components. The configuration of the applications can be changed under the key <APPLICATION_NAME>, please see the individual applications and there sub-charts for the available options.
The chart is published and released on each merge to master.
In order to test the helm-chart provided for the FIWARE decentralized IAM, an integration-test framework based on Cucumber and Junit5 is provided: it.
The tests can be executed via:
mvn clean integration-test -PtestThey will spin up the Local Deployment and run the test-scenarios against it.
Please, check the doc here.
FIWARE decentralized-iam is licensed under Apache 2.0 License.
For the avoidance of doubt, the owners of this software wish to make a clarifying public statement as follows:
Please note that software derived as a result of modifying the source code of this software in order to fix a bug or incorporate enhancements is considered a derivative work of the product. Software that merely uses or aggregates (i.e. links to) an otherwise unmodified version of existing software is not considered a derivative work, and therefore it does not need to be released as under the same license, or even released as open source.