Generic authentication service that allows user to authenticate against variety of identity providers and issue JWT token. This service also provides role administration that can be used for authorization and group administrations.
Any services that then use authentication service's public key to validate the JWT token and do stateless authentication (and basic authorization through roles / groups)
For DB backend, it can use PostgreSQL, MySQL, MariaDB, or SQLite.
git clone [email protected]:soichih/sca-auth.git sca-auth
cd sca-auth && npm install
cd ui && npm install
You will need to create your configuration by copying ./api/config/index.js.sample
to ./api/config/index.js
(and edit the content)
You also need to create your public and private keys.
openssl genrsa -out auth.key 2048
chmod 600 auth.key
openssl rsa -in auth.key -pubout > auth.pub
Create configuration file first
mkdir /etc/sca-auth
cd /etc/sca-auth
wget https://raw.githubusercontent.com/soichih/sca-auth/master/api/config/index.js.sample
cp index.js.sample index.js
And edit index.js. You need to point various paths to the right place. Just contact me if you aren't sure.
You also need to create public / prviate keys (see above for openssl genrsa
)
Then, create sca-auth container..
docker run \
--restart=always \
--name sca-auth \
-v /etc/sca-auth:/app/api/config \
-v /usr/local/data/auth:/db \
-d soichih/sca-auth
You need to expose your container's port 80 (for UI) and 8080 (for API) directly, or via web proxy like nginx. Please feel free to contact me if you aren't sure how to do that.
Once you have your UI up, you can view the API doc at /apidoc
sub directory. Or you can see our hosted version at https://sca.iu.edu/auth/apidoc/
If a user has multiple account, trying to associate with same IUCAS account ends up with basically logging in as the user account that's already associated with the IU CAS account.
iucas/register_newuser. If the uid is already registered, instead of veto-ing, forward user to a special login page and once logged in successfully, associate the IUCAS IU to the user account
Make sure only root (or allowed group of users) can issue token via CLI
Allow admin to reset password via administration/users pagee Allow user to reset his/her own password Allow admin to remove account (what should happend to profile and cached profile on other services?) Add event table logging all authentication related events (change password, etc..)
Don't let user disconnect account if there is only 1 account left that's associated with it
Implement password locking mechanism after repeated failed attempt (not necessary because we delay failed password re-try?)