Mainflux.mainflux/authn
Dušan Borovčanin 9f37927dec MF-932 - User API keys (#941)
* Add inital Auth implementation

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Extract IssuedAt on transport layer

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Add token type

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Fix Auth service URL in Things service

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Add User Keys revocation check

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Update tests

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Remove unused tracing methods

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Fix Key retrival and parsing

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Remove unused code

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Increase test coverage

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Fix compose files

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Fix typos

Simplify tests.

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Fix typos and remove useless comments

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Rename Auth to Authn

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Rename database.go to tracin.go

A new name (`tracing.go`) describes better the purpose of the file.

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Increase test coverage

Fix typo.

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Increase test coverage

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Remove token from Users service

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Fix identify login keys

Rename token parsing method.

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Extract tokenizer to interface

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Remove pointer time

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Use pointer for expiration time in response

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Use uppercase N

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Remove unnecessary email check

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Cleanup unused code and env vars

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Rename tokenizer field

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Use slices and named fields in test cases

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Update AuthN keys naming

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Remove package-lock.json changes

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>

* Remove Secret from issuing request

Signed-off-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com>
2019-12-16 16:22:09 +01:00
..
api MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
jwt MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
mocks MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
postgres MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
tracing MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
uuid MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
README.md MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
idp.go MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
keys.go MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
keys_test.go MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
service.go MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
service_test.go MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
swagger.yaml MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00
tokenizer.go MF-932 - User API keys (#941) 2019-12-16 16:22:09 +01:00

README.md

Authentication service

Authentication service provides an API for managing authentication keys.

There are three types of authentication keys:

  • user key - keys issued to the user upon login request
  • API key - keys issued upon the user request
  • recovery key - password recovery key

User keys are issued when user logs in. Each user request (other than registration and login) contains user key that is used to authenticate the user. API keys are similar to the User keys. The main difference is that API keys have configurable expiration time. If no time is set, the key will never expire. For that reason, API keys are the only key type that can be revoked. Recovery key is the password recovery key. It's short-lived token used for password recovery process.

For in-depth explanation of the aforementioned scenarios, as well as thorough understanding of Mainflux, please check out the official documentation.

The following actions are supported:

  • create (all key types)
  • verify (all key types)
  • obtain (API keys only; secret is never obtained)
  • revoke (API keys only)

Configuration

The service is configured using the environment variables presented in the following table. Note that any unset variables will be replaced with their default values.

Variable Description Default
MF_AUTHN_LOG_LEVEL Service level (debug, info, warn, error) error
MF_AUTHN_DB_HOST Database host address localhost
MF_AUTHN_DB_PORT Database host port 5432
MF_AUTHN_DB_USER Database user mainflux
MF_AUTHN_DB_PASSWORD Database password mainflux
MF_AUTHN_DB Name of the database used by the service auth
MF_AUTHN_DB_SSL_MODE Database connection SSL mode (disable, require, verify-ca, verify-full) disable
MF_AUTHN_DB_SSL_CERT Path to the PEM encoded certificate file
MF_AUTHN_DB_SSL_KEY Path to the PEM encoded key file
MF_AUTHN_DB_SSL_ROOT_CERT Path to the PEM encoded root certificate file
MF_AUTHN_HTTP_PORT Authn service HTTP port 8180
MF_AUTHN_GRPC_PORT Authn service gRPC port 8181
MF_AUTHN_SERVER_CERT Path to server certificate in pem format
MF_AUTHN_SERVER_KEY Path to server key in pem format
MF_AUTHN_SECRET String used for signing tokens auth
MF_JAEGER_URL Jaeger server URL localhost:6831

Deployment

The service itself is distributed as Docker container. The following snippet provides a compose file template that can be used to deploy the service container locally:

version: "2"
services:
  authn:
    image: mainflux/authn:[version]
    container_name: [instance name]
    ports:
      - [host machine port]:[configured HTTP port]
    environment:
      MF_AUTHN_LOG_LEVEL: [Service log level]
      MF_AUTHN_DB_HOST: [Database host address]
      MF_AUTHN_DB_PORT: [Database host port]
      MF_AUTHN_DB_USER: [Database user]
      MF_AUTHN_DB_PASS: [Database password]
      MF_AUTHN_DB: [Name of the database used by the service]
      MF_AUTHN_DB_SSL_MODE: [SSL mode to connect to the database with]
      MF_AUTHN_DB_SSL_CERT: [Path to the PEM encoded certificate file]
      MF_AUTHN_DB_SSL_KEY: [Path to the PEM encoded key file]
      MF_AUTHN_DB_SSL_ROOT_CERT: [Path to the PEM encoded root certificate file]
      MF_AUTHN_HTTP_PORT: [Service HTTP port]
      MF_AUTHN_GRPC_PORT: [Service gRPC port]
      MF_AUTHN_SECRET: [String used for signing tokens]
      MF_AUTHN_SERVER_CERT: [String path to server certificate in pem format]
      MF_AUTHN_SERVER_KEY: [String path to server key in pem format]
      MF_JAEGER_URL: [Jaeger server URL]

To start the service outside of the container, execute the following shell script:

# download the latest version of the service
go get github.com/mainflux/mainflux

cd $GOPATH/src/github.com/mainflux/mainflux

# compile the service
make authn

# copy binary to bin
make install

# set the environment variables and run the service
MF_AUTHN_LOG_LEVEL=[Service log level] MF_AUTHN_DB_HOST=[Database host address] MF_AUTHN_DB_PORT=[Database host port] MF_AUTHN_DB_USER=[Database user] MF_AUTHN_DB_PASS=[Database password] MF_AUTHN_DB=[Name of the database used by the service] MF_AUTHN_DB_SSL_MODE=[SSL mode to connect to the database with] MF_AUTHN_DB_SSL_CERT=[Path to the PEM encoded certificate file] MF_AUTHN_DB_SSL_KEY=[Path to the PEM encoded key file] MF_AUTHN_DB_SSL_ROOT_CERT=[Path to the PEM encoded root certificate file] MF_AUTHN_HTTP_PORT=[Service HTTP port] MF_AUTHN_GRPC_PORT=[Service gRPC port] MF_AUTHN_SECRET=[String used for signing tokens] MF_AUTHN_SERVER_CERT=[Path to server certificate] MF_AUTHN_SERVER_KEY=[Path to server key] MF_JAEGER_URL=[Jaeger server URL] $GOBIN/mainflux-authn

If MF_EMAIL_TEMPLATE doesn't point to any file service will function but password reset functionality will not work.

Usage

For more information about service capabilities and its usage, please check out the API documentation.