MMS5 Auth Service
This service currently allows MMS5 Service clients to authenticate with an ldap server.
Using the GET /login endpoint with basic auth will return a JWT bearer token that the client can then use with the rest of MMS5 Service endpoints. The username and groups indicated in the token are then used by MMS5 layer1 service for authorization. The same namespace and iri must match any policies defined in MMS5 layer1.
Example token:
{
"aud": "jwt-audience",
"iss": "https://mms5.openmbee.org/",
"groups": [
"ldap/group/some.group",
"ldap/group/some.group2"
],
"exp": 1688671245,
"username": "ldap/user/someuser"
}
Example policy with subject in MMS5 Layer1 quadstore:
prefix m-graph: <http://layer1-service/graphs/>
prefix m-policy: <http://layer1-service/policies/>
prefix mms: <https://mms.openmbee.org/rdf/ontology/>
graph m-graph:AccessControl.Policies {
m-policy:somepolicy a mms:Policy ;
mms:subject <http://layer1-service/users/ldap/user/someuser> ;
mms:subject <http://layer1-service/groups/ldap/group/some.group> ;
mms:role mms-object:Role.AdminRepo ;
mms:scope <http://layer1-service/orgs/someorg/repos/somerepo> .
}
Because a user can belong to many groups in ldap, in order to minimize the amount of groups in the token, relevant groups need to be present in the MMS5 layer 1 quadstore first:
prefix mms: <https://mms.openmbee.org/rdf/ontology/>
prefix m-graph: <http://layer1-service/graphs/>
prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
graph m-graph:AccessControl.Agents {
<http://layer1-service/groups/ldap/group/some.group> rdf:type mms:Group ;
mms:id "ldap/group/some.group" .
}
Use environment variables for the options below.
MMS5 Config Options
- LDAP_GROUP_STORE_URI
The quadstore sparql endpoint that’s also being used by MMS5 layer 1 service
Default: http://localhost:8081/bigdata/namespace/kb/sparql- LDAP_GROUP_STORE_CONTEXT
The same context that’s configured for MMS5 layer 1 service
Default: http://layer1-service/- LDAP_USER_NAMESPACE
The namespace that’ll be prepended to the username to create an iri
Default: ldap/user/- LDAP_GROUP_NAMESPACE
The namespace that’ll be prepended to group name to create an iri
Default: ldap/group/
Ldap Connection Configuration Options
- LDAP_LOCATION
The ldap url
Default: ldap://ldap.openmbee.org:636- LDAP_BASE
The ldap base
Default: dc=openmbee,dc=org- LDAP_USER_PATTERN
Ldap user search pattern
Default: uid=%s,ou=users- LDAP_GROUP_SEARCH_FILTER
Ldap filter to groups a user belongs to
Default: (&(objectclass=group)(uniqueMember=%s)(|(%s)))- LDAP_GROUP_ATTRIBUTE
Ldap group attribute
Default: cn
Service Config Options
- PORT
Port to run on
Default: 8080JWT_DOMAIN
Default: https://jwt-provider-domain/JWT_AUDIENCE
Default: jwt-audienceJWT_REALM
Default: MMS5 Microservices
- JWT_SECRET
This needs to be the same as what’s configured for MMS5 Layer1 Service
Default: test1234