authn

README

Authentication service

Authentication service provides an API for managing authentication keys.

There are three types of authentication keys:

• user key - keys issued to the user upon login request
• API key - keys issued upon the user request
• recovery key - password recovery key

User keys are issued when user logs in. Each user request (other than registration and login) contains user key that is used to authenticate the user. API keys are similar to the User keys. The main difference is that API keys have configurable expiration time. If no time is set, the key will never expire. For that reason, API keys are the only key type that can be revoked. Recovery key is the password recovery key. It's short-lived token used for password recovery process.

For in-depth explanation of the aforementioned scenarios, as well as thorough understanding of Mainflux, please check out the official documentation.

The following actions are supported:

• create (all key types)
• verify (all key types)
• obtain (API keys only; secret is never obtained)
• revoke (API keys only)

Configuration

The service is configured using the environment variables presented in the following table. Note that any unset variables will be replaced with their default values.

Variable	Description	Default
MF_AUTHN_LOG_LEVEL	Service level (debug, info, warn, error)	error
MF_AUTHN_DB_HOST	Database host address	localhost
MF_AUTHN_DB_PORT	Database host port	5432
MF_AUTHN_DB_USER	Database user	mainflux
MF_AUTHN_DB_PASSWORD	Database password	mainflux
MF_AUTHN_DB	Name of the database used by the service	auth
MF_AUTHN_DB_SSL_MODE	Database connection SSL mode (disable, require, verify-ca, verify-full)	disable
MF_AUTHN_DB_SSL_CERT	Path to the PEM encoded certificate file
MF_AUTHN_DB_SSL_KEY	Path to the PEM encoded key file
MF_AUTHN_DB_SSL_ROOT_CERT	Path to the PEM encoded root certificate file
MF_AUTHN_HTTP_PORT	Authn service HTTP port	8180
MF_AUTHN_GRPC_PORT	Authn service gRPC port	8181
MF_AUTHN_SERVER_CERT	Path to server certificate in pem format
MF_AUTHN_SERVER_KEY	Path to server key in pem format
MF_AUTHN_SECRET	String used for signing tokens	auth
MF_JAEGER_URL	Jaeger server URL	localhost:6831

Deployment

The service itself is distributed as Docker container. The following snippet provides a compose file template that can be used to deploy the service container locally:

version: "2"
services:
  authn:
    image: mainflux/authn:[version]
    container_name: [instance name]
    ports:
      - [host machine port]:[configured HTTP port]
    environment:
      MF_AUTHN_LOG_LEVEL: [Service log level]
      MF_AUTHN_DB_HOST: [Database host address]
      MF_AUTHN_DB_PORT: [Database host port]
      MF_AUTHN_DB_USER: [Database user]
      MF_AUTHN_DB_PASS: [Database password]
      MF_AUTHN_DB: [Name of the database used by the service]
      MF_AUTHN_DB_SSL_MODE: [SSL mode to connect to the database with]
      MF_AUTHN_DB_SSL_CERT: [Path to the PEM encoded certificate file]
      MF_AUTHN_DB_SSL_KEY: [Path to the PEM encoded key file]
      MF_AUTHN_DB_SSL_ROOT_CERT: [Path to the PEM encoded root certificate file]
      MF_AUTHN_HTTP_PORT: [Service HTTP port]
      MF_AUTHN_GRPC_PORT: [Service gRPC port]
      MF_AUTHN_SECRET: [String used for signing tokens]
      MF_AUTHN_SERVER_CERT: [String path to server certificate in pem format]
      MF_AUTHN_SERVER_KEY: [String path to server key in pem format]
      MF_JAEGER_URL: [Jaeger server URL]

To start the service outside of the container, execute the following shell script:

# download the latest version of the service
go get gitee.com/shtemmi/iotflux

cd $GOPATH/src/gitee.com/shtemmi/iotflux

# compile the service
make authn

# copy binary to bin
make install

# set the environment variables and run the service
MF_AUTHN_LOG_LEVEL=[Service log level] MF_AUTHN_DB_HOST=[Database host address] MF_AUTHN_DB_PORT=[Database host port] MF_AUTHN_DB_USER=[Database user] MF_AUTHN_DB_PASS=[Database password] MF_AUTHN_DB=[Name of the database used by the service] MF_AUTHN_DB_SSL_MODE=[SSL mode to connect to the database with] MF_AUTHN_DB_SSL_CERT=[Path to the PEM encoded certificate file] MF_AUTHN_DB_SSL_KEY=[Path to the PEM encoded key file] MF_AUTHN_DB_SSL_ROOT_CERT=[Path to the PEM encoded root certificate file] MF_AUTHN_HTTP_PORT=[Service HTTP port] MF_AUTHN_GRPC_PORT=[Service gRPC port] MF_AUTHN_SECRET=[String used for signing tokens] MF_AUTHN_SERVER_CERT=[Path to server certificate] MF_AUTHN_SERVER_KEY=[Path to server key] MF_JAEGER_URL=[Jaeger server URL] $GOBIN/mainflux-authn

If MF_EMAIL_TEMPLATE doesn't point to any file service will function but password reset functionality will not work.

Usage

For more information about service capabilities and its usage, please check out the API documentation.

Documentation

Index

• Constants
• Variables
• type Key
  • func (k Key) Expired() bool
• type KeyRepository
• type Service
  • func New(keys KeyRepository, up mainflux.UUIDProvider, tokenizer Tokenizer) Service
• type Tokenizer

Constants

const (
	// UserKey is temporary User key received on successfull login.
	UserKey uint32 = iota
	// RecoveryKey represents a key for resseting password.
	RecoveryKey
	// APIKey enables the one to act on behalf of the user.
	APIKey
)

Variables

var (
	// ErrInvalidKeyIssuedAt indicates that the Key is being used before it's issued.
	ErrInvalidKeyIssuedAt = errors.New("invalid issue time")

	// ErrKeyExpired indicates that the Key is expired.
	ErrKeyExpired = errors.New("use of expired key")
)

var (
	// ErrUnauthorizedAccess represents unauthorized access.
	ErrUnauthorizedAccess = errors.New("unauthorized access")

	// ErrMalformedEntity indicates malformed entity specification (e.g.
	// invalid owner or ID).
	ErrMalformedEntity = errors.New("malformed entity specification")

	// ErrNotFound indicates a non-existing entity request.
	ErrNotFound = errors.New("entity not found")

	// ErrConflict indicates that entity already exists.
	ErrConflict = errors.New("entity already exists")
)

Types

type Key

type Key struct {
	ID        string
	Type      uint32
	Issuer    string
	Secret    string
	IssuedAt  time.Time
	ExpiresAt time.Time
}

Key represents API key.

func (Key) Expired

func (k Key) Expired() bool

Expired verifies if the key is expired.

type KeyRepository

type KeyRepository interface {
	// Save persists the Key. A non-nil error is returned to indicate
	// operation failure
	Save(context.Context, Key) (string, error)

	// Retrieve retrieves Key by its unique identifier.
	Retrieve(context.Context, string, string) (Key, error)

	// Remove removes Key with provided ID.
	Remove(context.Context, string, string) error
}

KeyRepository specifies Key persistence API.

type Service

type Service interface {
	// Issue issues a new Key.
	Issue(context.Context, string, Key) (Key, error)

	// Revoke removes the Key with the provided id that is
	// issued by the user identified by the provided key.
	Revoke(context.Context, string, string) error

	// Retrieve retrieves data for the Key identified by the provided
	// ID, that is issued by the user identified by the provided key.
	Retrieve(context.Context, string, string) (Key, error)

	// Identify validates token token. If token is valid, content
	// is returned. If token is invalid, or invocation failed for some
	// other reason, non-nil error value is returned in response.
	Identify(context.Context, string) (string, error)
}

Service specifies an API that must be fullfiled by the domain service implementation, and all of its decorators (e.g. logging & metrics).

func New

func New(keys KeyRepository, up mainflux.UUIDProvider, tokenizer Tokenizer) Service

New instantiates the auth service implementation.

type Tokenizer

type Tokenizer interface {
	// Issue converts API Key to its string representation.
	Issue(Key) (string, error)

	// Parse extracts API Key data from string token.
	Parse(string) (Key, error)
}

Tokenizer specifies API for encoding and decoding between string and Key.