An OpenID Provider for i3-Market. You can find the detailed documentation here.
The following programs and libraries are required to be able to perform all subsequent instructions.
- WSL
- Git
- Node.js
- Docker
- i3-Market wallet desktop, version 1.0.0 or more
To check that everything is fine, you should see the following commands working:
$ npm -v
8.13.8
$ node -v
v18.13.0
$ ts-node -v
v10.4.0
$ nvm --version
0.33.2
WARNING: In case some packages are missing, you can install them using the
npm i <PACKAGE_NAME>
command
Clone the repository with Git
$ git clone git@gitlab.com:i3-market/code/wp3/t3.1-self-sovereign-identity-and-access-management/node-oidc-provider.git
$ cd node-oidc-provider
Create a .env
and a oidc.env
file and configure the server using the environmental variables defined in the template.env file.
WARNING: Paths should be relative to the
app
directory
A just-working version using a mongodb can be used. Before starting the mongo for the first time, copy db/scripts/mongo-init.template.js
to db/scripts/mongo-init.js
and update to your needs. The contents of that file are the intial state of the DB. By default it comes with to RP clients, one for WebApps and another for Native Apps or SPAs; as well as an adminsitration account that can be used to create more clients through the API.
To run the service locally using Node.js it is necessary to download it before. After that you can install the dependencies and start the service in the following way:
$ cd node-oidc-provider/app
$ npm i
$ npm start
You should also update the configuration file app/src/config.ts
before running the service.
Specifically, it is necessary to fill the default environment variables, in the same way they are filled in the env file.
Run the following command in the project root. The first time it will take a while (be patience), since it has to build images and download all the npm dependencies.
./docker-dev-start
The OAS documentation can be accessed on http://localhost:3000/oidc/api-spec/ui.
You can stop the container at any time with Ctrl-C
.
If you want to delete and prune all the created images, containers, networks, volumes, just run
./docker-dev-prune
Since the app
directory is shared with the docker container with mapped user permissions, you can just edit any files in the app
directory locally. The container will be running ts-node
and nodemon
to directly execute the source code and refresh the server if any file has changed. You can also attach any debugger in your local machine to the container, which will be listening at default port 9229.
Besides rebuilding, you can execute any command in the oidc-provider-app
container:
-
to execute it in the running container:
docker-compose -f docker-compose.dev.yaml exec oidc-provider-app <command>
-
to create and delete on-the-fly a new container (that will update the same files):
docker-compose -f docker-compose.dev.yaml run --rm --no-deps oidc-provider-app <command>
Since npm
and node
are likely to be needed, if your OS allows you to execute shell scripts, you can just also use the npm
and node
scripts provided for convenience.
$ ./npm -v
8.19.3
$ ./node -v
v18.13.0
You can build the production docker image using the helpers provided in this repository:
# Build the image to work locally
./docker-prod-build
# Build and push the image into the gitlab registry
./docker-prod-push
The script docker-prod
manages the deployment. You can use it to extract the files required in the production environment. To do so execute the following commands:
# Prepare a folder to work
mkdir oidc-provider
# Place the 'docker-prod' file inside oidc-provider
cd oidc-provider
# Pull the docker image and prepare the volumes
./docker-prod -p init-volumes $(id -u):$(id -g)
# Create a docker-compose.yaml and .env using the template.
# Remember to configure SERVER_PUBLIC_URI, OIDC_PROVIDER_DB_PASSWORD and MONGO_INITDB_ROOT_PASSWORD in the .env file
./docker-prod -o docker-compose.yaml template docker-compose
./docker-prod -o .env template env
# Start docker services
docker-compose up -d
# We have an issue on the first start. If you get an error just restart docker services
docker-compose down
docker-compose up -d
# Finally configure a reverse proxy. We suggest using the one provided in:
# https://gitlab.com/i3-market/code/wp3/nginx-reverse-proxy
To perform more complex manual tests, we also provide a docker compose service so different images are connected in the same network.
# Launch a image using the current source files
docker-compose up -d oidc-provider-dev
# Lauch a keycloak image
docker-compose up -d keycloak
# Launch a test Relying Party
docker-compose up -d oidc-rp
# This service registers all the services in the host's host file
# - Needed for the OpenID standard redirections when using OpenID Connect Discovery
# (https://openid.net/specs/openid-connect-discovery-1_0.html)
# - NOTE: Only working on linux
docker-compose up -d resolver
There are an environment example and database initial state files. To start a development environment copy them:
cd misc
cp template.dev dev.env
cp initial-state.template.js initial-state.js
This OIDC Provider has the following static scopes:
- openid: Mandatory for the OpenID Connect standard. It returns the sub field of the id_token, and its value is the user did.
- profile: It adds information about the user profile into the id_token.
- vc: It adds the field verifiable_claims into the id_token. Useful when the RP wants to check any information about the verifiable claims asked.
There are several automatic scopes.
- vc:{vc_name}: It asks the user for the specific verifiable claim vc_name. It is optional, so the user can decide whether to append it or not. If the issuer of the verifiable claim is not trusted, it will be added into untrusted verifiable claims array.
- vce:{vc_name}: It asks the user for the essential verifiable claim with name: vc_name. It is mandatory, so if the user doesn't provide it, or the issuer is untrusted, the login and consent process will be cancelled.
When the authorization and authentication process finishes, two tokens are returned: access_token and id_token.
-
Both tokens have the following fields:
- sub: identity (user) did.
- aud: audience (who or what the token is intended for).
- exp: expiration date.
- iat: issued at.
- iss: token issuer. It is always the OIDC Provider.
-
access_token: it can be used to prove that the user consents access for a specific scope.
- scope: space separated scopes that the user has proved to fulfill.
Following example shows a raw and decoded access_token:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InIxTGtiQm8zOTI1UmIyWkZGckt5VTNNVmV4OVQyODE3S3gwdmJpNmlfS2MifQ.eyJqdGkiOiJKcmcwcEpFdHY2Z1Z2SDZxOENfU1QiLCJzdWIiOiJkaWQ6ZXRocjoweGY2YTJiZTM3YTc5OGYyMTY3NzNjYmU0NWNlOWMwODc3NmViMjZiYjMiLCJpYXQiOjE2MTIxNzEwMTUsImV4cCI6MTYxMjE3NDYxNSwic2NvcGUiOiJvcGVuaWQgdmMgdmNlOmNvbnN1bWVyIiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImF1ZCI6Im9pZGNDTElFTlQifQ.eiRDwuYtYUprL4rbILlEHO58Jc7whyh6mhXIFss6zv3rM_hpBj9YTBRgOg1CDFz866cdZ-vIl3Bo-PlqQV9BHRIvFwvknbLfNSxBXn_VB9il8lrQ49Aury71nQmkFgYC6zeWaBbRRsp8I0xCra3GkAaA3MXR_XwJDfv1AcR8Ifu-LKYFSHXImwVEmwUmgCpVgLqTiJY2mxFnKkaqaSYOr44ZFoU5CADoegkt4SUV3bpYy2kLrDK-BItj2GFxS_5fguy1EYR6R8Zx6pj0VXPYh207_NT23EHzf0UFCzHJXGg5Aw8YWZO6vlo-mqKxw2XybTei2XyBLujNizTTjQ2oKA
{
"jti": "Jrg0pJEtv6gVvH6q8C_ST",
"sub": "did:ethr:0xf6a2be37a798f216773cbe45ce9c08776eb26bb3",
"iat": 1612171015,
"exp": 1612174615,
"scope": "openid vc vce:consumer",
"iss": "https://localhost:3000",
"aud": "oidcCLIENT"
}
-
id_token: it contains information about the identity. Specific fields:
- verifiable_claims: arrays of trusted and untrusted verifiable claims.
Following example shows a raw and decoded id_token:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InIxTGtiQm8zOTI1UmIyWkZGckt5VTNNVmV4OVQyODE3S3gwdmJpNmlfS2MifQ.eyJzdWIiOiJkaWQ6ZXRocjoweGY2YTJiZTM3YTc5OGYyMTY3NzNjYmU0NWNlOWMwODc3NmViMjZiYjMiLCJ2ZXJpZmllZF9jbGFpbXMiOnsidHJ1c3RlZCI6W3siaWF0IjoxNjExNTcyMjUxLCJleHAiOjE2MTQxNjQyNTEsInN1YiI6ImRpZDpldGhyOjB4ZjZhMmJlMzdhNzk4ZjIxNjc3M2NiZTQ1Y2U5YzA4Nzc2ZWIyNmJiMyIsImNsYWltIjp7ImNvbnN1bWVyIjp0cnVlfSwiaXNzIjoiZGlkOmV0aHI6MHhlNmYyYmU4MGVkNTUyMTUyOWY2N2IzOWE3NGFhNDI4MjgyY2YwMzEyIiwiand0IjoiZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKRlV6STFOa3N0VWlKOS5leUpwWVhRaU9qRTJNVEUxTnpJeU5URXNJbVY0Y0NJNk1UWXhOREUyTkRJMU1Td2ljM1ZpSWpvaVpHbGtPbVYwYUhJNk1IaG1ObUV5WW1Vek4yRTNPVGhtTWpFMk56Y3pZMkpsTkRWalpUbGpNRGczTnpabFlqSTJZbUl6SWl3aVkyeGhhVzBpT25zaVkyOXVjM1Z0WlhJaU9uUnlkV1Y5TENKcGMzTWlPaUprYVdRNlpYUm9jam93ZUdVMlpqSmlaVGd3WldRMU5USXhOVEk1WmpZM1lqTTVZVGMwWVdFME1qZ3lPREpqWmpBek1USWlmUS5acFYwM3VjOXJyNWxCVGZJcW5hbDlsT2k4alFXNTZrc3VaRE90UEtLWEowWmdwZC03dGQ3ZVExUGVjdUNoWF9sdXhrR1gzb3ZlM3FtRXAtcWVJRnRpZ0EifV0sInVudHJ1c3RlZCI6W119LCJhdF9oYXNoIjoieVpnaHBkaTBTRUJTZGJwT05QRTI3QSIsImF1ZCI6Im9pZGNDTElFTlQiLCJleHAiOjE2MTIxNzQ2MTUsImlhdCI6MTYxMjE3MTAxNSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCJ9.JHhZ-A7ephdD0nyXKsBGrltWFwPZpeqJID9MbN7b164S5yYOfcrgVeNjyE_-9sJZEU8EEUhFjj3FjC6maF-MZBiqXO7QTFsVfds8gDRmLHCSXhyp0SvSPywzbqHB4KE6hBgLo5yuZ9Q1dv0bUr7btis8-9Uc7FmeIg7BmTPDB89c_CKZfdRUkcmYcW8EWsH9RNl9XQGXAYqZfQZnJoKmkILScnIUuq3p38qNpL2VrnvhWXfKx3IXA3bCazWeHeToNoPcrQdUJTFkfxo2vAQXXrnNEWOrE_UwDnv3rORMdsaGZTB47MzL5YFVG5f0PsNzRwXnhQ1b7ZP6yze1fC0pww
{
"sub": "did:ethr:0xf6a2be37a798f216773cbe45ce9c08776eb26bb3",
"verified_claims": {
"trusted": [
{
"iat": 1611572251,
"exp": 1614164251,
"sub": "did:ethr:0xf6a2be37a798f216773cbe45ce9c08776eb26bb3",
"claim": {
"consumer": true
},
"iss": "did:ethr:0xe6f2be80ed5521529f67b39a74aa428282cf0312",
"jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NkstUiJ9.eyJpYXQiOjE2MTE1NzIyNTEsImV4cCI6MTYxNDE2NDI1MSwic3ViIjoiZGlkOmV0aHI6MHhmNmEyYmUzN2E3OThmMjE2NzczY2JlNDVjZTljMDg3NzZlYjI2YmIzIiwiY2xhaW0iOnsiY29uc3VtZXIiOnRydWV9LCJpc3MiOiJkaWQ6ZXRocjoweGU2ZjJiZTgwZWQ1NTIxNTI5ZjY3YjM5YTc0YWE0MjgyODJjZjAzMTIifQ.ZpV03uc9rr5lBTfIqnal9lOi8jQW56ksuZDOtPKKXJ0Zgpd-7td7eQ1PecuChX_luxkGX3ove3qmEp-qeIFtigA"
}
],
"untrusted": []
},
"at_hash": "yZghpdi0SEBSdbpONPE27A",
"aud": "oidcCLIENT",
"exp": 1612174615,
"iat": 1612171015,
"iss": "https://localhost:3000"
}
Create a oidc.env
file and configure the server using the environmental variables defined in (template.env)[./template.env].
To deploy this service in a server it is just necessary to copy the docker-compose.yaml
and oidc.env
files in a server directory and run the following command:
$ docker-compose up
The service images will be downloaded directly from the i3-Market Gitlab image registry. You need to have a valid Gitlab access.
This service is integrated with the i3-Market Wallet desktop application, downloadable from the i3-Market Nexus repository or from Github. For information on how to pair the wallet with the service once running, see the instructions here.
The documentation is available on the i3-Market development portal.