This is the Identity, Authentication, and Authorization (IAA) Component of the SOFIE framework. IAA implements an HTTP forward proxy that performs user authorization based on an access token. It supports the following types of access tokens: Decentralized Identifiers, Verifiable Credentials, and JSON web tokens.
As shown in Figure 1, the IAA components intercepts the communication between a client and a resource server. The resource server may not be accessible over the Internet. The client needs to obtain a valid access token (e.g., using SOFIE's PDS component). Then, the client performs an HTTP request by including the obtained token in an HTTP Authentication header. Based on the type of the token, and IAA's configured policies, IAA may reject the request, may forward it to the resource server, or it may respond with a ``challenge'' that the client must sign in order to prove the s/he is the legitimate owner of the access token.
Figure 1: The IAA component
More information about this component and its relation to the SOFIE project can be found in D2.5 Federation Framework, SOFIE deliverable
The software modules are implemented in Python 3. Currently the component supports Hyperledger Indy DID and VC, W3C VC, JWT, and JWT backed by Ethereum ERC-721 tokens (as described in N. Fotiou et al. "OAuth 2.0 authorization using blockchain-based tokens", in proc of the NDSS DISS workshop, 2020)
IAA component is built using Python3. It depends on the following packages:
pip3 install Werkzeug
pip3 install jsonpath-ngDepending on the type of access tokens that will be used the following additional dependencies are required
pip3 install pyjwtpip3 install pyjwt
pip3 install web3pip3 install PyLD
pip3 install pynacl sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CE7709D068DB5E88
sudo add-apt-repository "deb https://repo.sovrin.org/sdk/deb bionic stable"
sudo apt-get update
sudo apt-get install -y libindy
pip3 install python3-indyThe following commands perform a full installation of IAA
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CE7709D068DB5E88
sudo add-apt-repository "deb https://repo.sovrin.org/sdk/deb bionic stable"
sudo apt-get update
sudo apt-get install -y libindy
pip3 install python3-indy pyjwt web3
pip3 install Werkzeug
pip3 install pynacl
pip3 install PyLD
pip3 install jsonpath-ngThe core configuration file of the component is conf/iaa.conf. There the protected resources are described.
The file contains a mapping from resource relative URIs to authentication and proxy configurations.
The authentication entry of a resource contains the following fields:
| Field | Possible values |
|---|---|
| type | "jwt", "jwt-erc721", "w3c-vc", "indy-did", "indy-vc" |
| tokens_expire | true, false (optional, used only with type "jwt") |
| signing_key_file | A path to the key used for signing a JWT |
| filters | A list of json-path queries |
The proxy entry of a resource contains the following fields:
| Field | Possible values |
|---|---|
| proxy_pass | The base URI of the resource |
| header_rewrite | A list of headers that will be included in the forwarded request |
From the root directory run python3 IAA/iaa.py
In order to build IAA image, execute the script docker-build.sh. Then you can run IAA using, for example, docker run -tid --rm -p 9000:9000 iaa. You can verify that IAA is running properly be executing the script examples/validate_token.sh
Tests are executed using pytest and pytest-asyncio. To install it execute:
pip3 install -U pytest
pip3 install pytest-asyncioFrom the root directory run python3 -m pytest -s tests/ For shorter output alternatively you can run python3 -m pytest tests/ -s --tb=short
No known issues
Please contact Nikos Fotiou or Iakovos Pittaras (AUEB) in case of any questions.
This component is licensed under the Apache License 2.0.