This component provides capability of Identity and Access Management Services to manage authentication and authorization across the system. It is based on spring authorization server and ensures that access privileges are granted according to user's roles and client's scopes and all individuals and services are properly authenticated and authorized before accessing any exposed APIs in the system. It ensures that proper Role Based Access policies are in place and each user/machine are able to access only the authorized features for which they have respective privileges in the system using OAuth 2.1 and OpenID Connect 1.0 specifications.

It handles IDAM(Identity and Access Management) use cases like token generation by different grant types like client credentials, authorization code, refresh token, adding custom claims to tokens, token revocation, token introspection, password recovery, email verification, login services, sign-up services, etc.

• Getting Started
• Usage
• How to contribute
• Built with Dependencies
• Code of Conduct
• Authors
• Security Contact Information
• Support
• Troubleshooting
• License
• Announcements
• Acknowledgments

To build the project in the local working directory after the project has been cloned/forked, run:

mvn clean install

from the command line interface.

1. PostgreSQL Installation and a Database manager tool like DBeaver to handle db transactions when required over Local environment.
2. DB Setup by following steps mentioned in Local DB Setup
3. There would be interaction required with UIDAM User Management for user, client and account authentication. Please make sure to run respective components on different ports and update the property user-management-base-url, postgres.username and postgres.password in application.properties accordingly.
4. Install Postman locally for running curl commands
5. Maven version 3.6 or higher
6. Java version 17

How to set up maven

Install Java

Multitenancy Configuration

1. Install PostgreSQL and a Database manager tool like DBeaver
2. If it is a fresh installation then need to create uidam_management database and uidam schema in uidam_management database before running the application.
3. Steps to create db and schema(fresh installation)
   1. Drop role if exist - DROP ROLE IF EXISTS uidam_management;
   2. Create a user for db - create user uidam_management with password 'uidam_management';
   3. alter user uidam_management CREATEDB;
   4. Create database - CREATE DATABASE uidam_management owner uidam_management;
   5. \c uidam_management;
   6. Check all schema exists in db - \dn
   7. Create schema - CREATE SCHEMA IF NOT EXISTS uidam;
4. Steps to create schema in case db already exists but schema is not exist:
   1. Check all schema exists in db - \dn
   2. Create schema - CREATE SCHEMA IF NOT EXISTS uidam;
5. When the application is run, Liquibase will take care of creating tables in the schema and populating with default data.

Run mvn clean install

1. Run the Application by running the main class AuthorizationServerApplication.java
2. As Liquibase in included in the project, so it would take care of tracking, managing and applying database schema changes along with default data creation.
3. Run local curl commands in postman as described in Usage Section using the default credentials as shared in the Default Data Section
4. To be able to access the Login Page, the following steps can be performed:
   1. Enter the following url in the browser(Client ID, Scopes and Redirect URI can be updated as per the client details in the database) https://localhost:9443/oauth2/authorize?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=<SCOPES>
   2. Once Login Page is open, enter correct user credentials and click on Login. You may use the default user credentials shared in the Default Data Section
   3. Once logged in, the user will be redirected to the redirect_uri with the authorization code in the query parameter
   4. Use the authorization code to generate the token using the token endpoint using curl commands in Curl Commands Section

• CLIENT_ID - Registered Client ID
• SCOPES - List of scopes separated by space. Example: "SelfManage ManageUsers"
• REDIRECT_URI - Redirect URI for the registered client

checkStyle.xml is the coding standard to follow while writing new/updating existing code.

Checkstyle plugin maven-checkstyle-plugin:3.2.1 is integrated in pom.xml which runs in the validate phase and check goal of the maven lifecycle and fails the build if there are any checkstyle errors in the project.

To run checkstyle plugin explicitly, run the following command:

mvn checkstyle:check

mvn test

Or run a specific test

mvn test -Dtest="TheFirstUnitTest"

To run a method from within a test

mvn test -Dtest="TheSecondUnitTest#whenTestCase2_thenPrintTest2_1"

UIDAM Authorization Server can be used to generate tokens using different grant types like client credentials, authorization code, refresh token, etc. It can be used to revoke tokens, introspect tokens, etc. It can also be used to add custom claims to tokens as well as support Spring thymeleaf templates for login page, sign up page, forgot password services, etc. with configurable captcha services. It provides the following services:

1. User/Client Authentication and Token generation using following grant types:
   • Client Credentials
   • Authorization Code (PKCE and non-PKCE)
   • Refresh Token
2. Token Introspection
3. Token Revocation
4. Token Claim Customization
5. Email Verification Services
6. Password Recovery Services
7. Login Services along with configured Captcha Services
8. Federated User Authentication
9. Scope Validation as part of User/Client Authorization

• Default user credentials: admin/ChangeMe
• Default client credentials: test-portal/ChangeMe
• Rest of the predefined data like roles, scopes, default users, default clients, etc. are created by Liquibase scripts as part of the UIDAM User Management component

1. Access Token Generation using grant type: client credentials

curl -k --location 'https://localhost:9443/oauth2/token' --header 'content-type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'scope<CLIENT_SCOPES>' --data-urlencode 'client_id=<CLIENT_ID>' --data-urlencode 'client_secret=<CLIENT_SECRET>'

2. Authorization Code Authorize Endpoint to generate authorization code (try below URL in browser)

https://localhost:9443/oauth2/authorize?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<CLIENT_REDIRECT_URI>&scope=<CLIENT_SCOPES>

3. Authorization Code Token Endpoint to generate token using authorization code(grant type: authorization code)

curl -k --location 'https://localhost:9443/oauth2/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=authorization_code' --data-urlencode 'code=<AUTH_CODE>' --data-urlencode 'client_id=<CLIENT_ID>' --data-urlencode 'redirect_uri=<REDIRECT_URI>' --data-urlencode 'client_secret=<CLIENT_SECRET>' 4. Authorization Code Authorize Endpoint with PKCE to generate authorization code with PKCE

https://localhost:9443/oauth2/authorize?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<CLIENT_REDIRECT_URI>&scope=<CLIENT_SCOPES>&code_challenge=<CODE_CHALLENGE>&code_challenge_method=S256

5. Authorization Code Token Endpoint with PKCE to generate token using authorization code with PKCE(grant type: authorization code)

curl -k --location 'https://localhost:9443/oauth2/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=authorization_code' --data-urlencode 'code=<AUTH_CODE>' --data-urlencode 'client_id=<CLIENT_ID>' --data-urlencode 'redirect_uri=<REDIRECT_URI>' --data-urlencode 'code_verifier=<CODE_VERIFIER>' --data-urlencode 'client_secret=<CLIENT_SECRET>'

6. Token Revoke to revoke token

curl -k --location 'https://localhost:9443/oauth2/revoke' --header 'Authorization: Basic <BASE64_ENCODED_CLIENT_ID_CLIENT_SECRET>' --header 'content-type: application/x-www-form-urlencoded' --data-urlencode 'token=<ACCESS_TOKEN>' --data-urlencode 'client_id=<CLIENT_ID>' --data-urlencode 'client_secret=<CLIENT_SECRET>' 7. Token Introspect to introspect token

curl -k --location 'https://localhost:9443/oauth2/introspect' --header 'Authorization: Basic <BASE64_ENCODED_CLIENT_ID_CLIENT_SECRET>' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json' --data-urlencode 'token=<ACCESS_TOKEN>' 8. Token generation using "refresh token" grant type(Refresh token is generated when token is generated using authorization code or with PKCE)

curl -k --silent --location --request POST 'https://localhost:9443/oauth2/token' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Authorization: Basic <BASE64_ENCODED_CLIENT_ID_CLIENT_SECRET>' --data-urlencode 'grant_type=refresh_token' --data-urlencode 'scopes=<CLIENT_SCOPES>' --data-urlencode 'refresh_token=<REFRESH_TOKEN>'

Note: Replace the placeholders with actual values. The above shared curls are for localhost, please replace "localhost" with the actual server URL.

• Make sure you have Java installed in your system
• Open CMD
• Go to java JAVA_INSTALLATION_FOLDER\bin
• Use the following command: keytool -genkey -alias <alias_name> -keyalg RSA -keypass <key-password> -storepass <store-password> -keystore <full path where jks to be stored along with jks file name>.jks -validity <validity period in days> -keysize 4096
• Add required details
• Jks file would be created
• Encoded jks has to be used in uidam chart, so use the following command to generate the same To encode jks -> cat <jks-file-name>.jks | base64 -w 0
• Update encrypted value in values.yaml (jks_file) of uidam-authorization-server charts. ex: Source of values.yaml - jks_file
• Along with jks, update the chart with jks alias (values.yaml -> keyAlias) and jks password (values.yaml -> keystorePassword).

• Create the public.cert using keytool -export -alias <alias_name> -keystore <jks file name>.jks -rfc -file <public-key-cert-file-name>.cert
• Use this command to get certificate details: keytool -list -rfc -keystore <jks file name>.jks -alias <alias_name> -storepass <store-password>
• Create pem file from cert using the following command openssl x509 -in< public-key-cert-file-name>.cert -out <public-key-pem-file-name>.pem
• To get public key from pem, use below: openssl x509 -pubkey -noout -in public-key-pem-file-name>.pem
• This public key needs to be updated in UIDAM Authorization server charts values.yaml (uidam_pub)
• This pem file would need to be updated in api gateway charts and hivemq charts for token validation.

• CLIENT_SCOPES - Space separated scopes for the registered client like openid SelfManage
• CLIENT_ID - Registered Client ID
• CLIENT_SECRET - Registered Client Secret
• CLIENT_REDIRECT_URI - Redirect URI for the registered client
• CODE_CHALLENGE - PKCE Code Challenge
• CODE_VERIFIER - Code Verifier
• AUTH_CODE - Authorization Code
• ACCESS_TOKEN - Access Token
• REFRESH_TOKEN - Refresh Token
• BASE64_ENCODED_CLIENT_ID_CLIENT_SECRET - Base64 encoded client_id:client_secret, Example testClientid:testClientpwd will be encoded as dGVzdENsaWVudGlkOnRlc3RDbGllbnRwd2Q=

• SQL DAO - SQL DAO to manage database transactions
• Spring Boot - The web framework used
• Maven - Build tool used for dependency management
• PostgreSQL - Relational database
• Spring Authorization Server - OAuth2.0 Authorization Server
• Spring Framework - Web framework used for building the application.
• Junit - Unit testing framework.
• Mockito - Mocking framework for testing.
• Java 17 - Java version
• Liquibase - Manages database schema changes.
• Lombok - Auto-generates Java boilerplate code (e.g., getters, setters, builders).
• Thymeleaf - Template Engine
• SnakeYAML - YAML parser
• Logback - Logging facade providing abstraction for various logging frameworks
• SLF4J - Logging API

Please read CONTRIBUTING.md for details on our contribution guidelines, and the process for submitting pull requests to us.

Please read CODE_OF_CONDUCT.md for details on our code of conduct, and the process for submitting pull requests to us.

Check here the list of contributors who participated in this project.

Please read SECURITY.md to raise any security related issues.

Please write to us at csp@harman.com

Please read CONTRIBUTING.md for details on how to raise an issue and submit a pull request to us.

This project is licensed under the Apache-2.0 License - see the LICENSE file for details.

All updates to this component are present in our releases page. For the versions available, see the tags on this repository.