Skip to content

AAA Server v5.0.0
Compare
Choose a tag to compare
@ThorodanBrom ThorodanBrom released this 31 Oct 08:45
· 73 commits to main since this release
v5.0.0
4da72b7
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

What's changed

The AAA Server v5.0.0 release incorporates changes for the server to adhere to the COS model.

Updates to existing APIs

  • Create User Profile POST /auth/v1/user/profile changed to Add roles POST /auth/v1/user/roles

  • Get User Profile or Search for User GET /auth/v1/user/profile changed to List User Roles GET /auth/v1/user/roles

  • Update User Profile - Add roles, regenerate client secret PUT /auth/v1/user/profile removed

  • Get Organization Details GET /auth/v1/organizations changed to Get Registered Resource Servers GET /auth/v1/resourceservers

  • Create Organization POST /auth/v1/admin/organizations changed to Create Resource Server - COS Admin POST /auth/v1/admin/resourceservers

  • Get Policies GET /auth/v1/policies removed

  • Delete Policies DELETE /auth/v1/policies removed

  • Create Policies POST /auth/v1/policies removed

  • Get Delegations GET /auth/v1/policies/delegations changed to GET /auth/v1/delegations

  • Delete Delegations DELETE /auth/v1/policies/delegations changed to DELETE /auth/v1/delegations

  • Create Delegations POST /auth/v1/policies/delegations changed to POST /auth/v1/delegations

  • List Access Requests GET /auth/v1/policies/requests removed

  • Create Access Requests POST /auth/v1/policies/requests removed

  • Update Access Requests PUT /auth/v1/policies/requests removed

  • Withdraw Access Requests DELETE /auth/v1/policies/requests removed

New APIs

  • Create Default Client Credentials GET /auth/v1/user/clientcredentials
  • Search for User - Trustee GET /auth/v1/user/search
  • Regenerate client credentials PUT /auth/v1/user/clientcredentials
  • Get Delegate Emails - Trustee GET /auth/v1/delegations/emails
  • Get public key in JWKS format GET /auth/v1/jwks

Deprecations

User and Role Management

  • The auth admin user has been deprecated and replaced with the COS Admin
  • Organization registration has been removed
  • Registration of trustee and delegate role has been removed
  • Domain-matching for emails during provider registration has been removed

Policy-related Functionalities

  • All policy and access request APIs have been deprecated
    • This functionality has been moved to a separate ACL Access Policy Domain server

Token Functionalities

  • Token requests for items at the resource group level (itemType:resource_group) has been deprecated
  • Token requests for the trustee role (role:trustee) has been deprecated

Access Policy Domain (APD) Functionalities

  • Creation of APDs by trustees has been deprecated
  • Update of APD status by trustees has been deprecated

Delegations

  • The auth delegate role has been deprecated

New Features

General

  • The JWT public key is now exposed as a standard JWKS endpoint at GET /auth/v1/jwks

User and Role Management

  • User roles are scoped to registered resource servers
  • Provider approval is now performed by the concerned Resource Server admin
  • Default client credentials are now obtained using the API GET /auth/v1/user/clientcredentials instead of being created during role registration

Delegations

  • Consumers are allowed to assign delegates
  • Delegates do not need to register for the delegate role, they only need to be registered on Keycloak
  • Delegations are scoped to a role and a resource server
  • Delegates of consumers and providers may now obtain tokens on behalf of their delegator for entities that their delegator has access to

Trustee Capabilities

  • Users who are trustees of active APDs can now use their client credentials:
    • to search for registered providers and consumers
    • to obtain email addresses of delegates associated with a registered provider or consumer

Admin and Access Policy Domain (APD) Functionalities

  • Resource server creation is now performed by the COS Admin
  • APD creation and APD status update is now performed by the COS Admin
  • APDs are no longer in pending state when created. They are directly in an active state

Token Functionalities

  • COS Admins may get identity tokens for the COS item type (itemType:cos) and COS admin role (role:cos_admin)
  • Identity tokens for consumers and providers are now created only if the user has the role approved for the requested resource server
  • All token requests for resource items (itemType:resource) will result in an Access Policy Domain verification, i.e. the AAA server will interact with the APD associated with the resource. The AAA server will issue a token only if the APD responds with a success response

Enhancement

  • Miscellaneous library upgrades and bug fixes

Testing

  • Moved from Postman to REST Assured for integration testing

Full Changelog: v4.5.0...v5.0.0

Assets 2
Loading