Micro-service for identity and access management, facilitating user, organization, and role management with Keycloak integration. Offers SDKs and clients for seamless application communication.
IM is a microservice for Identity and Access Management built with Kotlin and Spring Cloud Function, leveraging a Keycloak instance. It enables the creation and management of Spaces, Users, Organizations, and Privileges, which can then be used to authenticate via Keycloak.
IM simplifies identity and access management with the following features:
IM interacts with Keycloak using Keycloak's Admin Client and exposes endpoints to communicate with other applications.
Define the necessary parameters in your application.yml file:
connect:
fs:
url: http://fs:8090A sample docker-compose configuration for the IM Gateway:
services:
im-gateway:
image: ${DOCKER_REPOSITORY}im-gateway:${VERSION_IM}
environment:
- server_port=8004
- f2_tenant_issuer-base-uri=${KC_URL_PUBLIC}
- connect_im_keycloak_url=${KC_URL_PUBLIC}
- connect_im_keycloak_realm=${KC_ROOT_REALM}
- connect_im_keycloak_clientId=${KC_IM_CLIENT_ID}
- connect_im_keycloak_clientSecret=${KC_IM_CLIENT_SECRET}
ports:
- "8004:8004"Features act as access control filters, defining the specific contexts in which permissions can be applied. They ensure permissions are valid only in allowed contexts.
| Permission Name | Description | Required Features |
|---|---|---|
| im_user_read | Ability to view any user data | feat_im_all, feat_im_own |
| im_user_write | Ability to modify any user data | feat_im_all, feat_im_own |
| im_user_role_write | Ability to modify the roles of a user | feat_im_all, feat_im_own |
| im_organization_read | Ability to view any organization data | feat_im_all |
| im_organization_write | Ability to modify any organization data | feat_im_all |
| im_organization_write_own | Ability to modify own organization data | feat_im_all, feat_im_own |
| im_organization_apikey_read | Ability to read any organization API keys | feat_im_all |
| im_organization_status_write | Ability to write organization status | feat_im_all |
| im_role_read | Ability to view any role data | feat_im_all, feat_im_own |
| im_role_write | Ability to modify any role data | feat_im_all |
| im_apikey_read | Ability to view API keys | feat_im_all, feat_im_own |
| im_apikey_write | Ability to modify API keys | feat_im_all, feat_im_own |
| im_space_read | Ability to view space data | feat_im_all |
| im_space_write | Ability to modify space data | feat_im_all |
| im_mfa_force_otp | Ability to force MFA otp on a user | feat_im_all |
Use the following dependencies in your Kotlin project to manage Users, Organizations, and Roles:
implementation("io.komune.im:user-domain:${Versions.im}")
implementation("io.komune.im:organization-domain:${Versions.im}")
implementation("io.komune.im:role-domain:${Versions.im}")The clients provided use Ktor and should be singletons:
@Configuration
class ImConfig(
private val tokenProvider: TokenProvider
) {
@Value("\${im.url}")
lateinit var imUrl: String
@Bean
fun userClient() = UserClient(
url = imUrl,
generateBearerToken = tokenProvider::getToken
)
}i2-keycloak:keycloak-plugin
./gradlew i2-keycloak:keycloak-plugin:shadowJar
i2-keycloak/docker/
(steps 2 and 3 can be done automatically with make package-keycloak)
client ("xxx-web" + "account") hardcoded claim: event-http-wehbook = url to send the events to
if local and keycloak is within docker container, use ip address instead of localhost
It is possible to filter the events to send from the keycloak GUI by going to Events > Login Events Settings > Save Events ON > Saved Types
Endpoint example:
@Configuration
class KeycloakEventEndpoint(
private val applicationContext: ApplicationContext
) {
@PermitAll
@Bean
fun keycloakEvent(): F2Consumer<KeycloakHttpEvent> = f2Consumer { event ->
println(event.type)
applicationContext.publishEvent(event)
}
}IM is a microservice for Identity and Access Management built with Kotlin and Spring Cloud Function, leveraging a Keycloak instance. It enables the creation and management of Spaces, Users, Organizations, and Privileges, which can then be used to authenticate via Keycloak.
IM simplifies identity and access management with the following features:
IM interacts with Keycloak using Keycloak's Admin Client and exposes endpoints to communicate with other applications.
Define the necessary parameters in your application.yml file:
connect:
fs:
url: http://fs:8090A sample docker-compose configuration for the IM Gateway:
services:
im-gateway:
image: ${DOCKER_REPOSITORY}im-gateway:${VERSION_IM}
environment:
- server_port=8004
- f2_tenant_issuer-base-uri=${KC_URL_PUBLIC}
- connect_im_keycloak_url=${KC_URL_PUBLIC}
- connect_im_keycloak_realm=${KC_ROOT_REALM}
- connect_im_keycloak_clientId=${KC_IM_CLIENT_ID}
- connect_im_keycloak_clientSecret=${KC_IM_CLIENT_SECRET}
ports:
- "8004:8004"Features act as access control filters, defining the specific contexts in which permissions can be applied. They ensure permissions are valid only in allowed contexts.
| Permission Name | Description | Required Features |
|---|---|---|
| im_user_read | Ability to view any user data | feat_im_all, feat_im_own |
| im_user_write | Ability to modify any user data | feat_im_all, feat_im_own |
| im_user_role_write | Ability to modify the roles of a user | feat_im_all, feat_im_own |
| im_organization_read | Ability to view any organization data | feat_im_all |
| im_organization_write | Ability to modify any organization data | feat_im_all |
| im_organization_write_own | Ability to modify own organization data | feat_im_all, feat_im_own |
| im_organization_apikey_read | Ability to read any organization API keys | feat_im_all |
| im_organization_status_write | Ability to write organization status | feat_im_all |
| im_role_read | Ability to view any role data | feat_im_all, feat_im_own |
| im_role_write | Ability to modify any role data | feat_im_all |
| im_apikey_read | Ability to view API keys | feat_im_all, feat_im_own |
| im_apikey_write | Ability to modify API keys | feat_im_all, feat_im_own |
| im_space_read | Ability to view space data | feat_im_all |
| im_space_write | Ability to modify space data | feat_im_all |
| im_mfa_force_otp | Ability to force MFA otp on a user | feat_im_all |
Use the following dependencies in your Kotlin project to manage Users, Organizations, and Roles:
implementation("io.komune.im:user-domain:${Versions.im}")
implementation("io.komune.im:organization-domain:${Versions.im}")
implementation("io.komune.im:role-domain:${Versions.im}")The clients provided use Ktor and should be singletons:
@Configuration
class ImConfig(
private val tokenProvider: TokenProvider
) {
@Value("\${im.url}")
lateinit var imUrl: String
@Bean
fun userClient() = UserClient(
url = imUrl,
generateBearerToken = tokenProvider::getToken
)
}i2-keycloak:keycloak-plugin
./gradlew i2-keycloak:keycloak-plugin:shadowJar
i2-keycloak/docker/
(steps 2 and 3 can be done automatically with make package-keycloak)
client ("xxx-web" + "account") hardcoded claim: event-http-wehbook = url to send the events to
if local and keycloak is within docker container, use ip address instead of localhost
It is possible to filter the events to send from the keycloak GUI by going to Events > Login Events Settings > Save Events ON > Saved Types
Endpoint example:
@Configuration
class KeycloakEventEndpoint(
private val applicationContext: ApplicationContext
) {
@PermitAll
@Bean
fun keycloakEvent(): F2Consumer<KeycloakHttpEvent> = f2Consumer { event ->
println(event.type)
applicationContext.publishEvent(event)
}
}