Highly available, scalable and extendible Identity Provider. It utilises OAuth2 Authorization Framework to retrieve and associate one or many authentication identities (globally unique identifiers) with the unified account.

At this point, only OAuth2 Client Credentials Grant flow is supported.

To build and start playing with the application, execute following shell commands within different terminal tabs:

## Building the development image and running the container with Riak KV within it..
$ ./run-docker.sh
## Building the application and executing an erlang shell.
$ make app shell

IdP could be operated through its REST APIs:

• Authentication
• Account

To make examples in the API reference work, we need to create an account with admin permissions (account that is a member of predefined admin ACL group).

%% We specify an account identifier explicitly just for simplicity reasons
Tokens =
  idp_cli_account:create(
    #{acl => [{<<"admin">>, riakacl_group:new_dt()}]},
    #{aud => <<"example.org">>, expires_in => infinity}),
io:format(
  "ID='~s'~nACCESS_TOKEN='~s'~nREFRESH_TOKEN='~s'~n",
  [ maps:get(id, Tokens),
    maps:get(access_token, Tokens),
    maps:get(refresh_token, Tokens)]).

For authorization examples to work, we also need client's token. Here is how it can be created.

Claims =
  #{aud => <<"idp.example.org">>,
    iss => <<"example.org">>,
    exp => 32503680000,
    sub => <<"John">>},
{ok, Pem} = file:read_file(idp:conf_path(<<"keys/example.priv.pem">>)),
{Alg, Priv} = jose_pem:parse_key(Pem),
ClientToken = jose_jws_compact:encode(Claims, Alg, Priv),
io:format("CLIENT_TOKEN='~s'~n", [ClientToken]).

Finally, we could use the following endpoint URI and tokens issued bellow.

ENDPOINT='https://localhost:8443/api/v1'

The source code is provided under the terms of the MIT license.