Go to file
Nicolas CARON ac1ea1ba2c
Build and Push Docker Image / checkout_repository (push) Successful in 6s Details
Build and Push Docker Image / login_docker_registry (push) Successful in 5s Details
Build and Push Docker Image / build_and_push_image (push) Failing after 4s Details
test workflow build and push on gitea registry
2024-03-13 14:55:11 +01:00
.github/workflows test workflow build and push on gitea registry 2024-03-13 14:55:11 +01:00
.idea psql first commit 2023-04-25 15:14:42 +03:00
examples/grpcclient psql first commit 2023-04-25 15:14:42 +03:00
grpcapi Extend PostgreSQL implementation and unit tests on MongoDB storage 2023-05-02 00:34:33 +02:00
handlers fixing some issues 2023-07-18 12:38:07 +02:00
oidc-provider psql first commit 2023-04-25 15:14:42 +03:00
schemas/CMS psql first commit 2023-04-25 15:14:42 +03:00
storage create branch mika 2023-09-06 13:37:31 +02:00
.gitignore Refactor previous COOPGO Identity service - Initial commit 2022-08-02 12:26:28 +02:00
Dockerfile psql first commit 2023-04-25 15:14:42 +03:00
LICENCE.md psql first commit 2023-04-25 15:14:42 +03:00
README.md Extend PostgreSQL implementation and unit tests on MongoDB storage 2023-05-02 00:34:33 +02:00
config.go fixing some issues 2023-07-18 12:38:07 +02:00
go.mod fixing some issues 2023-07-18 12:38:07 +02:00
go.sum fixing some issues 2023-07-18 12:38:07 +02:00
main.go psql first commit 2023-04-25 15:14:42 +03:00

README.md

COOPGO Mobility Accounts

COOPGO Mobility Accounts is a webservice handling profiles management on the COOPGO Technical Platform.

It supports the CMS standard for accounts data and a flexible data model to extend its functionalities.

It provides :

  • Accounts data management and basic authentication/identification functionalities
  • a gRPC API for accounts management (Create, update, delete, manage credentials, ...)
  • an OAuth2 / OpenID Connect Provider based on Ory Fosite library
  • Flexible account data models using JSON schemas to handle the CMS standard and to be extended for other or specific use cases

What is expected in a near future :

  • An OpenID connect client to link accounts to other identification providers
  • An integration mechanism to share account data with other services through APIs

What it's not and will not be (others do it much better !) :

  • a full featured identity management platform
  • a UI to manage accounts (you will have to create your own UIs / applications to interact through gRPC with COOPGO Mobility Accounts)

This project is under development and not stable yet.

Getting started

Run locally

COOPGO Mobility Accounts can be configured through a config.yaml (other formats might be supported). Many defaults already exist but you must provide some configuration for example if you need to enable OpenID Connect.

Example of config.yaml file targetting a mongodb database :

dev_env: true

storage:
  db:
    mongodb:
      host: user:password@localhost

services:
  oidc_provider:
    enable: true
    csrf_key: 32-byte-long-auth-key-----------
    port:     8091
    namespaces: 
      default:
        namespace: default
        secret_key: some-cool-secret-that-is-32bytes
        templates_dir: oidc-provider/templates/default
        match_claims: 
          "urn:cms:personal-informations:read": personal_information
          "urn:cms:civil-status:read": civil_status
          "urn:cms:favorites:read": favorites
          "urn:cms:driving-licence:read": driving_licence
          "urn:cms:ice-contacts:read": ice
        clients: 
          - id: abcdef
            oidc: true
            secret: $2y$10$0GwBc17u9HjZnVlFjhIv2u.Jq..5NyzdUENpGa8jUtok2zHj/STmm # ghijkl
            token_endpoint_auth_method: client_secret_post
            response_types: 
              - code
            grant_types:
              - authorization_code
            redirect_uris: 
              - https://psteniusubi.github.io/oidc-tester/authorization-code-flow.html
            scopes: 
              - openid 
              - profile 
              # - urn:cms:personal-informations:read

You must have a mongodb database and of course change the credentials. You might also change the values of the openid client example.

For testing purpose, you can then directly run with (make sure you have Go version >= 1.18) :

go run .

You can then test the service through :

What is an account in COOPGO Mobility Account

An account is, in COOPGO Mobility accounts, simply a set of datas, that you will be able to manage through a gRPC API (this could be extended with REST later but it's not our priority at COOPGO, so feel free to contribute ...).

In addition, but optionnally (an account can exist without any login mechanism), the service provides authentication through gRPC requests or OpenID Connect.

Accounts data management

Accounts Data is represented by key-value pairs.

We can assign JSON schemas to keys in the configuration to validate associated values.

Default configuration is visible in the file config.go. It handles the CMS standard schemas.

These key-value pairs can be accessed and managed through gRPC requests, and can also be linked to OpenID Connect claims/scopes to share them with external applications.

Accounts namespaces

COOPGO Mobility Accounts can handle multiple accounts environments (or set of users) with "namespaces", for example to handle multiple applications sharing the same service deployment (a little bit like "realms" in Keycloak), or different kind of accounts within the same application.

Authentication

Local authentication

This service provides a "local authentication mechanism", storing account credentials in the database.

OpenID Connect client

TODO

In the future, this service will support connecting through an external OpenID Connect provider.

OpenID Connect provider

The internal OpenID Connect provider lets you provide authentication and identity to external applications. Clients are defined in the configuration (you will have to change the configuration to add a client : we don't want to manage this dynamically through a database "by design", to be "stateless" on the OIDC provider base configuration)

The OIDC provider needs Etcd v3 (see below for storage considerations)

Storage options

Accounts management

COOPGO Mobility Accounts supports the following databases for storage :

  • MongoDB
  • PostgreSQL

SQL schema

SQL schema for PostgreSQL is available from file storage/postgresql/schema.hcl in the atlasgo Data Definition Language format

To set your development DB with this schema easily, you can simply use atlasgo CLI :

atlas schema apply --url "postgresql://username:password@localhost:5432/coopgo_platform?sslmode=disable"

OpenID Connect provider

You need a running Etcd v3 to enable the OpenID Connect provider.

As for accounts management, the OpenID Connect provider is divided in namespaces, providing 1 OIDC provider per namespace.

For example :

You will have to define different clients for each of these namespaces. From the client perspective, if you need to provide identification for multiple "namespaces", then you will have to set up multiple providers (1 per namespace).

For each namespace, you can provide different templates for the login UI. These templates directories are set in the configuration, the default example being located in folder oidc-provider/templates/default.

This UI is just for authentication through OIDC : there is no registration endpoints and it's not a management UI !

Contributions and governance

This project is maintained by COOPGO, a french cooperative providing substainable and inclusive mobility platforms, and is part of the COOPGO Technical Platform in the process of being open sourced.

Feel free to contribute, submit a pull request, or get in touch with us to discuss the roadmap !

Licence

This project is under the AGPLv3 licence.

Alternatives

We try to be as generic as possible with this service and it could serve other purposes than just mobility use cases. This could probably be used in other scenarios by adapting default configurations.

However, you may also find "generic" (and probably more advanced feature wise) alternatives with :