Skip to main content

Identity providers

Built in user management

Without any configuration, Izanami uses his built in user management. You can create and manage users with the ui or with the APIs.

The documentation is available here [User management](./ui#Manage users)

Otoroshi

You can use Otoroshi in front of izanami and delegate authentication to it. Otoroshi use a custom protocol to ensure secured exchange between the targeted application and Otoroshi.

The default config is the following. You have at least to set the sharedKey (eg env variable CLAIM_SHAREDKEY or java system property izanami.filter.otoroshi.sharedKey).

izanami {
  filter {
    type = "Otoroshi"
    otoroshi  {
      allowedPaths = [${?OTOROSHI_FILTER_EXCLUSION}, ${?OTOROSHI_FILTER_EXCLUSION_1}, ${?OTOROSHI_FILTER_EXCLUSION_2}, ${?OTOROSHI_FILTER_EXCLUSION_3}]
      issuer = "Otoroshi"
      issuer = ${?OTOROSHI_ISSUER}
      sharedKey = "none"
      sharedKey = ${?CLAIM_SHAREDKEY}
      headerClaim = "Otoroshi-Claim"
      headerClaim = ${?FILTER_CLAIM_HEADER_NAME}
      headerRequestId = "Otoroshi-Request-Id"
      headerRequestId = ${?FILTER_REQUEST_ID_HEADER_NAME}
      headerGatewayState = "Otoroshi-State"
      headerGatewayState = ${?FILTER_GATEWAY_STATE_HEADER_NAME}
      headerGatewayStateResp = "Otoroshi-State-Resp"
      headerGatewayStateResp = ${?FILTER_GATEWAY_STATE_RESP_HEADER_NAME}
    }
  }
}

You can find more information about Otoroshi here

Oauth 2 identity provider

To use an oauth2 identity provider we need to set the oauth2 endpoint, option and a way to get the user information from the oauth2 identity.

Config propertyEnv variableDescription
izanami.oauth2.enabledOAUTH2_ENABLEDEnable this config
izanami.oauth2.authorizeUrlOAUTH2_AUTHORIZE_URLOauth2 authorization url
izanami.oauth2.tokenUrlOAUTH2_TOKEN_URLOauth2 token url
izanami.oauth2.userInfoUrlOAUTH2_USER_INFO_URLOauth2 user info url
izanami.oauth2.introspectionUrlOAUTH2_INTROSPECTION_URLOauth2 introspection url
izanami.oauth2.loginUrlOAUTH2_LOGIN_URLOauth2 login url
izanami.oauth2.logoutUrlOAUTH2_LOGOUT_URLOauth2 logout url
izanami.oauth2.clientIdOAUTH2_CLIENT_IDOauth2 client id
izanami.oauth2.clientSecretOAUTH2_CLIENT_SECRETOauth2 secret if provided
izanami.oauth2.scopeOAUTH2_SCOPEOauth2 scope of the requested user info
izanami.oauth2.readProfileFromTokenOAUTH2_READ_FROM_TOKENShould the user be read from token
izanami.oauth2.useCookieOAUTH2_USE_COOKIEPass desc as query param
izanami.oauth2.useJsonOAUTH2_USE_JSONUse json or form to post data to the server
izanami.oauth2.idFieldOAUTH2_ID_FIELDthe path in the token to access the user id field (required field)
izanami.oauth2.accessTokenFieldOAUTH2_ACCESS_TOKEN_FIELDthe path in the token to access the access token field (required field)
izanami.oauth2.nameFieldOAUTH2_NAME_FIELDthe path in the token to access the user name field (required field)
izanami.oauth2.emailFieldOAUTH2_EMAIL_FIELDthe path in the token to access the user email field (optional field)
izanami.oauth2.adminFieldOAUTH2_ADMIN_FIELDthe path in the token to access the user admin field (a boolean, false if empty)
izanami.oauth2.authorizedPatternFieldOAUTH2_AUTHORIZED_PATTERN_FIELDthe path in the token to access the user authorizedPatternField field
izanami.oauth2.defaultPatternsOAUTH2_DEFAULT_PATTERNthe default patterns if authorizedPatternField is missing
izanami.oauth2.jwtVerifier.enabledOAUTH2_JWT_VERIFIER_ENABLEDEnable jwt verification
izanami.oauth2.jwtVerifier.typeOAUTH2_JWT_VERIFIER_TYPEOne of hs, es, rsa, jwks
izanami.oauth2.jwtVerifier.sizeOAUTH2_JWT_VERIFIER_RSA_SIZESize of rsa 256, 384, 512s
izanami.oauth2.jwtVerifier.sizeOAUTH2_JWT_VERIFIER_HS_SIZESize of hs 256, 384, 512
izanami.oauth2.jwtVerifier.sizeOAUTH2_JWT_VERIFIER_ES_SIZESize of es 256, 384, 512
izanami.oauth2.jwtVerifier.secretOAUTH2_JWT_VERIFIER_HS_SECRETHs secret
izanami.oauth2.jwtVerifier.publicKeyOAUTH2_JWT_VERIFIER_RSA_PUBLIC_KEYRsa public key
izanami.oauth2.jwtVerifier.publicKeyOAUTH2_JWT_VERIFIER_ES_PUBLIC_KEYES public key
izanami.oauth2.jwtVerifier.privateKeyOAUTH2_JWT_VERIFIER_RSA_PRIVATE_KEYRSA private key
izanami.oauth2.jwtVerifier.privateKeyOAUTH2_JWT_VERIFIER_ES_PRIVATE_KEYES private key
izanami.oauth2.jwtVerifier.urlOAUTH2_JWT_VERIFIER_JWKS_URLJWKS url
izanami.oauth2.jwtVerifier.headersOAUTH2_JWT_VERIFIER_JWKS_HEADERSJWKS headers
izanami.oauth2.jwtVerifier.timeoutOAUTH2_JWT_VERIFIER_JWKS_TIMEOUTJWKS timeout call

The jwt modifier should be :

HS Algorithm

jwtVerifier = {
  type = "hs"
  size = 256
  secret = "your secret"
}

ES Algorithm

jwtVerifier = {
  type = "es"
  size = 256
  publicKey = "your key"
  privateKey = "an optional private key"
}

RSA Algorithm

jwtVerifier = {
  type = "rsa"
  size = 256
  publicKey = "your key"
  privateKey = "an optional private key"
}

JWKS Algorithm

jwtVerifier = {
  type = "jwks"
  url = "http://localhost:8980/auth/realms/master/protocol/openid-connect/certs"
  // Optional headers
  headers = {
    key = value
  }
  // An optional timeout for the api call
  timeout = 1 second
}

Here is a sample to use key cloak running on http://localhost:8980 :

izanami {
  oauth2 {
    enabled = true
    authorizeUrl = "http://localhost:8980/auth/realms/master/protocol/openid-connect/auth"
    tokenUrl = 	"http://localhost:8980/auth/realms/master/protocol/openid-connect/token"
    userInfoUrl = "http://localhost:8980/auth/realms/master/protocol/openid-connect/userinfo"
    introspectionUrl = 	"http://localhost:8980/auth/realms/master/protocol/openid-connect/token/introspect"
    loginUrl = "http://localhost:8980/auth/realms/master/protocol/openid-connect/auth"
    logoutUrl = "http://localhost:8980/auth/realms/master/protocol/openid-connect/logout"
    clientId = "izanami"
    clientSecret = "secret"
    scope = "openid profile email name izanamiAdmin authorizedPatterns"
    jwtVerifier = {
      type = "hs"
      size = 256
      secret = "your secret"
    }
    readProfileFromToken = true
    useCookie = false
    useJson = false
    idField = "sub"
    accessTokenField = "access_token"
    nameField = "preferred_username"
    emailField = "email"
    adminField = "izanamiAdmin"
    authorizedPatternField = "authorizedPatterns"
    defaultPatterns = "*"
  }
}

You can find a keycloak tutorial Here.