MMS5 Auth Service

This service currently allows MMS5 Service clients to authenticate with an ldap server.

Using the GET /login endpoint with basic auth will return a JWT bearer token that the client can then use with the rest of MMS5 Service endpoints. The username and groups indicated in the token are then used by MMS5 layer1 service for authorization. The same namespace and iri must match any policies defined in MMS5 layer1.

Example token:

{
    "aud": "jwt-audience",
    "iss": "https://mms5.openmbee.org/",
    "groups": [
        "ldap/group/some.group",
        "ldap/group/some.group2"
    ],
    "exp": 1688671245,
    "username": "ldap/user/someuser"
}

Example policy with subject in MMS5 Layer1 quadstore:

prefix m-graph: <http://layer1-service/graphs/>
prefix m-policy: <http://layer1-service/policies/>
prefix mms: <https://mms.openmbee.org/rdf/ontology/>
graph m-graph:AccessControl.Policies {
    m-policy:somepolicy a mms:Policy ;
        mms:subject <http://layer1-service/users/ldap/user/someuser> ;
        mms:subject <http://layer1-service/groups/ldap/group/some.group> ;
        mms:role mms-object:Role.AdminRepo ;
        mms:scope <http://layer1-service/orgs/someorg/repos/somerepo> .
}

Because a user can belong to many groups in ldap, in order to minimize the amount of groups in the token, relevant groups need to be present in the MMS5 layer 1 quadstore first:

prefix mms: <https://mms.openmbee.org/rdf/ontology/>
prefix m-graph: <http://layer1-service/graphs/>
prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
graph m-graph:AccessControl.Agents {
    <http://layer1-service/groups/ldap/group/some.group> rdf:type mms:Group ;
            mms:id "ldap/group/some.group" .
}

Use environment variables for the options below.

MMS5 Config Options

LDAP_GROUP_STORE_URI

The quadstore sparql endpoint that’s also being used by MMS5 layer 1 service

Default: http://localhost:8081/bigdata/namespace/kb/sparql

LDAP_GROUP_STORE_CONTEXT

The same context that’s configured for MMS5 layer 1 service

Default: http://layer1-service/

LDAP_USER_NAMESPACE

The namespace that’ll be prepended to the username to create an iri

Default: ldap/user/

LDAP_GROUP_NAMESPACE

The namespace that’ll be prepended to group name to create an iri

Default: ldap/group/

Ldap Connection Configuration Options

LDAP_LOCATION

The ldap url

Default: ldap://ldap.openmbee.org:636

LDAP_BASE

The ldap base

Default: dc=openmbee,dc=org

LDAP_USER_PATTERN

Ldap user search pattern

Default: uid=%s,ou=users

LDAP_GROUP_SEARCH_FILTER

Ldap filter to groups a user belongs to

Default: (&(objectclass=group)(uniqueMember=%s)(|(%s)))

LDAP_GROUP_ATTRIBUTE

Ldap group attribute

Default: cn

Service Config Options

PORT

Port to run on

Default: 8080

JWT_DOMAIN

Default: https://jwt-provider-domain/

JWT_AUDIENCE

Default: jwt-audience

JWT_REALM

Default: MMS5 Microservices

JWT_SECRET

This needs to be the same as what’s configured for MMS5 Layer1 Service

Default: test1234