The iShare auth-provider is an auth-provider implementing the authentication mechanism defined by iShare. It handles all communication to the iShare identity-provider and returns an Authorization-header containing the retrieved JWT.
The provider offers an api for managing iShare related client-credentials. The credentials(a signing key in the PKCS-8 format and the corresponding certificate) are stored per iShare-Client in the file-system of the auth-provider. In order to retrieve all required information about the endpoint to authenticate to, the provider uses the /auth-endpoint of the endpoint-configuration api. For a detailed view on the request flow of envoy and the auth-provider, take a look at the following diagram:
- envoy intercepts the request via iptable-rule 2
- envoy requests auth-headers from the provider
- iShare-auth-provider requests auth-information at the endpoint-configuration-service
- iShare-auth-provider reads key and cert from the idp-specific folder
- iShare-auth-provider generates a token from key and cert and requests the iShare-idp
- iShare-auth-provider responds the retrieved token as "Authorization"-header to envoy
- envoy adds the header to the request
- iptable-rule 1 returns request to the server
Detailed flow-chart for NGSI-LD notfications in an iShare-Setup:
The auth-provider is implemented in golang and available as a container at quay.io It uses the gin-framework for serving the web-endpoints.
Precondition: for running the unit-test, go-v1.17.3 is required. See the official doc: https://go.dev/doc/install
To run the unit-tests: go test -v
To run the unit-tests with coverage: go test -v -covermode=count -coverprofile=coverage.out - current reports can be viewed at coveralls
To run the integration-test, see integration-test