Identity providers

Built in user management

Without any configuration, Izanami uses his built in user management. You can create and manage users with the ui or with the APIs.

The documentation is available here [User management](../ui.md#Manage users)

Otoroshi

You can use Otoroshi in front of izanami and delegate authentication to it. Otoroshi use a custom protocol to ensure secured exchange between the targeted application and Otoroshi.

The default config is the following. You have at least to set the sharedKey (eg env variable CLAIM_SHAREDKEY or java system property izanami.filter.otoroshi.sharedKey).

izanami {
  filter {
    type = "Otoroshi"
    otoroshi  {
      allowedPaths = [${?OTOROSHI_FILTER_EXCLUSION}, ${?OTOROSHI_FILTER_EXCLUSION_1}, ${?OTOROSHI_FILTER_EXCLUSION_2}, ${?OTOROSHI_FILTER_EXCLUSION_3}]
      issuer = "Otoroshi"
      issuer = ${?OTOROSHI_ISSUER}
      sharedKey = "none"
      sharedKey = ${?CLAIM_SHAREDKEY}
      headerClaim = "Otoroshi-Claim"
      headerClaim = ${?FILTER_CLAIM_HEADER_NAME}
      headerRequestId = "Otoroshi-Request-Id"
      headerRequestId = ${?FILTER_REQUEST_ID_HEADER_NAME}
      headerGatewayState = "Otoroshi-State"
      headerGatewayState = ${?FILTER_GATEWAY_STATE_HEADER_NAME}
      headerGatewayStateResp = "Otoroshi-State-Resp"
      headerGatewayStateResp = ${?FILTER_GATEWAY_STATE_RESP_HEADER_NAME}
    }
  }
}

You can find more information about Otoroshi here

Oauth 2 identity provider

To use an oauth2 identity provider we need to set the oauth2 endpoint, option and a way to get the user information from the oauth2 identity.

The jwt modifier should be :

HS Algorithm

jwtVerifier = {
  type = "hs"
  size = 256
  secret = "your secret"
}

ES Algorithm

jwtVerifier = {
  type = "es"
  size = 256 
  publicKey = "your key"
  privateKey = "an optional private key"
}

RSA Algorithm

jwtVerifier = {
  type = "rsa"
  size = 256
  publicKey = "your key"
  privateKey = "an optional private key"
}

JWKS Algorithm

jwtVerifier = {
  type = "jwks"
  url = "http://localhost:8980/auth/realms/master/protocol/openid-connect/certs"
  // Optional headers 
  headers = {
    key = value 
  }
  // An optional timeout for the api call 
  timeout = 1 second
}

Here is a sample to use key cloak running on http://localhost:8980 :

izanami {
  oauth2 {
    enabled = true
    authorizeUrl = "http://localhost:8980/auth/realms/master/protocol/openid-connect/auth"
    tokenUrl = 	"http://localhost:8980/auth/realms/master/protocol/openid-connect/token"
    userInfoUrl = "http://localhost:8980/auth/realms/master/protocol/openid-connect/userinfo"
    introspectionUrl = 	"http://localhost:8980/auth/realms/master/protocol/openid-connect/token/introspect"
    loginUrl = "http://localhost:8980/auth/realms/master/protocol/openid-connect/auth"
    logoutUrl = "http://localhost:8980/auth/realms/master/protocol/openid-connect/logout"
    clientId = "izanami"
    clientSecret = "secret"
    scope = "openid profile email name izanamiAdmin authorizedPatterns"
    jwtVerifier = {
      type = "hs"
      size = 256
      secret = "your secret"
    }
    readProfileFromToken = true
    useCookie = false
    useJson = false
    idField = "sub"
    accessTokenField = "access_token"
    nameField = "preferred_username"
    emailField = "email"
    adminField = "izanamiAdmin"
    authorizedPatternField = "authorizedPatterns"
    defaultPatterns = "*"
  }
}

You can find a keycloak tutorial Here.