Copyright © 2015-2016 by UPM.
Identity Manager (IdM) GE API specifications comply with existing standards for authentication and user and provide access information. The following sections provide pointers to those standards and, when applicable, details about how the RESTful binding work.
This specification is intended for Service Consumers (with developement skills) and Cloud Providers. For the former, this document provides a full specification of how to interoperate with the Identity Management Service API. For the latter, this specification indicates the interface to be provided to the client application developers to provide the described functionalities. To use this information, the reader should first have a general understanding of the Generic Enabler service.
The API user should be familiar with:
RESTful web services
HTTP/1.1
JSON and/or XML data serialization formats.
SCIM 2.0
OAuth 2.0
This is a work in progress and is changing on a daily basis. Please send your comments to FIWARE IdM Github Project.
This specification is licensed under the FIWARE Open Specification License (implicit patent license).
As Keyrock backend is based on Openstack Keystone, it fully implement its APIs. You can check them in OpenStack Identity API v3 specification. Openstack also provides some Identity API curl examples in order to understand how the API works.
In order to manage other entities that only Keyrock offers, you have to use the extensions APIs, explained bellow. These APIs are exposed by the back-end NOT the front-end.
Consumers are the Applications registered in Keyrock to consume OAuth2 resources.
Id of the consumer.
Id of the role.
Id of the permission.
Id of the role.
Id of the permission.
Id of the role.
Id of the application.
Id of the role.
Id of the user.
Id of the application.
Id of the organization.
Id of the role.
Id of the user
Id of the application.
Id of the organization.
Id of the role.
Either user_id or user_name (along with domain_id or domain_name) must be provided.
ParametersID of the domain that the user belongs to.
Name of the domain that the user belongs to.
ID of the user to be checked.
Name of the user to be checked.
ID of the user.
ID of the user.
Either user_id or user_name and domain_name must be provided. The parameter device_token is required when providing device_id.
ParametersID of the device to be remembered, none if new one.
Current token of the device, none if new one.
Name of the domain that the user belongs to.
ID of the user.
Name of the user.
Either user_id or user_name and domain_name must be provided.
ParametersID of the device to be checked.
Current token of the device to be checked.
Name of the domain that the user belongs to.
ID of the user.
Name of the user.
The IDM provides several authentication mechanisms. Any of them is valid to access the SCIM 2.0 API.
The access to the SCIM 2.0 API (except ServiceProvider calls) is only allowed for administrators, access attempts performed by non-admin users will be answered with HTTP 401 (Unauthorized).
In this case, we will be using version 2.0 of the API, but version 1.1 is compatible. To use version 1.1, replace in the examples below v2 with v1. In the case of the organizations, only v2 is available.
Just like Keystone extensions, these APIs are exposed by the back-end NOT the front-end.
Id of the user.
Id of the organization.
"Information" provides the number of total users, total organizations (not counting the default organizations), cloud organizations, and the number of each type of user (basic, trial and community).
Headers
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"links": {
"self": "http://host/v3/OS-OAUTH2/consumers",
"previous": null,
"next": null
},
"consumers": [
{
"scopes": [
"all_info"
],
"redirect_uris": [
"http://my_app/login"
],
"img_small": "ApplicationAvatar/small/asdasdasdasdasdad",
"name": "App test",
"links": {
"self": "http://host/v3/OS-OAUTH2/consumers/asdasdasdasdasdad"
},
"extra": {
"url": "http://app.com",
"img_original": "ApplicationAvatar/original/asdasdasdasdasdad",
"img_small": "ApplicationAvatar/small/asdasdasdasdasdad",
"img_medium": "ApplicationAvatar/medium/asdasdasdasdasdad"
},
"url": "http://app.com",
"img_original": "ApplicationAvatar/original/asdasdasdasdasdad",
"client_type": "confidential",
"response_type": "code",
"img_medium": "ApplicationAvatar/medium/asdasdasdasdasdad",
"grant_type": "authorization_code",
"id": "asdasdasdasdasdad",
"description": "App test"
}
]
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"consumer": {
"name": "test_consumer",
"description": "my test consumer",
"client_type": "confidential",
"redirect_uris": [
"http://localhost/login"
],
"grant_type": "authorization_code",
"scopes": [
"all_info"
]
}
}
Headers
Content-Type: application/jsonBody
{
"consumer": {
"scopes": [
"all_info"
],
"redirect_uris": [
"http://localhost/login"
],
"description": "my test consumer",
"links": {
"self": "http://host/v3/OS-OAUTH2/consumers/308423904823490234923"
},
"extra": {},
"secret": "3534535345345",
"client_type": "confidential",
"response_type": "code",
"grant_type": "authorization_code",
"id": "308423904823490234923",
"name": "test_consumer"
}
}
Headers
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"consumer": {
"scopes": [
"all_info"
],
"redirect_uris": [
"http://app.com/v1/login_fiware"
],
"img_small": "ApplicationAvatar/small/dddjajdsajd23234232342",
"name": "App test",
"links": {
"self": "http://host/v3/OS-OAUTH2/consumers/dddjajdsajd23234232342"
},
"extra": {
"url": "http://app.com/v1",
"img_original": "ApplicationAvatar/original/dddjajdsajd23234232342",
"img_small": "ApplicationAvatar/small/dddjajdsajd23234232342",
"img_medium": "ApplicationAvatar/medium/dddjajdsajd23234232342"
},
"url": "http://app.com/v1",
"img_original": "ApplicationAvatar/original/dddjajdsajd23234232342",
"description": "App test",
"secret": "43534534535345345345345",
"client_type": "confidential",
"response_type": "code",
"grant_type": "authorization_code",
"id": "dddjajdsajd23234232342",
"img_medium": "ApplicationAvatar/medium/dddjajdsajd23234232342"
}
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"consumer": {
"field_to_update": "value",
"antoher_field_to_update": [
"another_value"
]
}
}
Headers
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"links": {
"self": "http://host/v3/OS-ROLES/roles",
"previous": null,
"next": null
},
"roles": [
{
"is_internal": false,
"application_id": "3123123131fg12f3g1f23g1jjjhg123h",
"id": "312312384578231j312gff2h3782318",
"links": {
"self": "http://host/v3/OS-ROLES/roles/312312384578231j312gff2h3782318"
},
"name": "admin1"
},
{
"is_internal": false,
"application_id": "23123897182903712893712h3dh1031sd3",
"id": "90834823948209f0sdf8jf'82kr820384",
"links": {
"self": "http://host/v3/OS-ROLES/roles/90834823948209f0sdf8jf82kr820384"
},
"name": "test"
}
]
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"role": {
"name": "test_role",
"application_id": "2222"
}
}
Headers
Content-Type: application/jsonBody
{
"role": {
"is_internal": false,
"application_id": "2222",
"id": "308423904823490234923",
"links": {
"self": "http://host/v3/OS-ROLES/roles/308423904823490234923"
},
"name": "test_consumer"
}
}
Headers
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"role": {
"is_internal": false,
"application_id": "3893298128973173d9173712d3",
"id": "213412312jsd3jsj3812s3123",
"links": {
"self": "http://host/v3/OS-ROLES/roles/213412312jsd3jsj3812s3123"
},
"name": "physician"
}
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"role": {
"name": "test_role_new",
"application_id": "2222"
}
}
Headers
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"links": {
"self": "http://host/v3/OS-ROLES/permissions",
"previous": null,
"next": null
},
"permissions": [
{
"xml": "",
"resource": "radio",
"name": "Access",
"links": {
"self": "http://host/v3/OS-ROLES/permissions/723893988932183717434rhejas"
},
"is_internal": false,
"action": "GET",
"application_id": "3423423424c234cx2342c",
"id": "723893988932183717434rhejas"
},
{
"xml": "",
"resource": "/ui/resource1",
"name": "identify resource1",
"links": {
"self": "http://host/v3/OS-ROLES/permissions/3987429348'3239234234"
},
"is_internal": false,
"action": "POST",
"application_id": "234234xc43242c",
"id": "3987429348'3239234234"
}
]
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"permission": {
"name": "test_permission",
"application_id": "2222"
}
}
Headers
Content-Type: application/jsonBody
{
"permission": {
"xml": null,
"resource": null,
"name": "test_consumer",
"links": {
"self": "http://host/v3/OS-ROLES/permissions/1283798173489734892734983"
},
"is_internal": false,
"action": null,
"application_id": "2222",
"id": "1283798173489734892734983"
}
}
Headers
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"permission": {
"xml": "",
"resource": "/enterprise/edit",
"name": "Enterprise",
"links": {
"self": "http://host/v3/OS-ROLES/permissions/21897318273128937sh12a1"
},
"is_internal": false,
"action": "GET",
"application_id": "23129371237917f17fd07102d7",
"id": "21897318273128937sh12a1"
}
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"permission": {
"name": "test_permission",
"application_id": "2222"
}
}
Headers
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"links": {
"self": "http://host/v3/OS-ROLES/permissions",
"previous": null,
"next": null
},
"permissions": [
{
"xml": null,
"resource": "res2",
"name": "getInfo",
"links": {
"self": "http://host/v3/OS-ROLES/permissions/23780128371283701238712307"
},
"is_internal": false,
"action": "GET",
"application_id": "asdasdasd12313213123",
"id": "23780128371283701238712307"
}
]
}
Headers
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"role_assignments": [
{
"organization_id": "32163781263892173912312",
"application_id": "12312301293-80181902380",
"user_id": "30891239081038123",
"role_id": "12331234"
},
{
"organization_id": "00000000000000000000000000000frb",
"application_id": "645765889gsdfadsasd",
"user_id": "4341234213423234234",
"role_id": "4324234"
}
]
}
Headers
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/json
X-Auth-token: tokenBody
{
"two_factor_auth": {
"security_question":"sample question",
"security_answer":"sample answer"
}
}
Headers
Content-Type: application/jsonBody
{
"two_factor_auth": {
"two_factor_key": "TSLX244ZPTDFTF43",
"user_id": "user0",
"links": {
"self": "http://localhost:5000/v3/OS-TWOFACTOR/two_factor_auth"
},
"uri": "otpauth://totp/FIWARE%20Lab%20Accounts:user0@test.com?secret=TSLX244ZPTDFTF43&issuer=FIWARE%20Lab%20Accounts",
"security_answer": "sample question",
"security_question": "sample answer"
}
}
Headers
Content-Type: application/json
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"two_factor_auth": {
"two_factor_key": "O3JGFSSJZHQL24Q6",
"user_id": "user_0",
"links": {
"self": "http://localhost:5000/v3/OS-TWOFACTOR/two_factor_auth"
},
"uri": "otpauth://totp/FIWARE%20Lab%20Accounts:user0@test.com?secret=O3JGFSSJZHQL24Q6&issuer=FIWARE%20Lab%20Accounts",
"security_answer": "sample question",
"security_question": "sample answer"
}
}
Headers
X-Auth-token: tokenHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"two_factor_auth": {
"security_question": "sample question",
"user_id": "user0",
"links": {
"self": "http://localhost:5000/v3/OS-TWOFACTOR/two_factor_auth"
}
}
}
Headers
Content-Type: application/json
X-Auth-token: tokenHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"two_factor_auth": {
"device_token": "7525dc5bc8134b4a97526bcd7e45175e",
"links": {
"self": "http://localhost:5000/v3/OS-TWOFACTOR/two_factor_auth"
},
"device_id": "815dfb0790934775bc8dac15f197a1f0"
}
}
Headers
X-Auth-token: tokenHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"totalResults": 12,
"Resources": [...],
"schemas": [
"urn:scim:schemas:core:2.0",
"urn:scim:schemas:extension:keystone:2.0"
]
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"userName": "alice",
"displayName": "Alice",
"password": "passw0rd",
"emails": [
{
"value": "alice@mailhost.com"
}
]
}
Headers
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"userName": "user1@user.com",
"urn:scim:schemas:extension:keystone:2.0": {
"domain_id": "default"
},
"active": true,
"id": "user1",
"schemas": [
"urn:scim:schemas:core:2.0",
"urn:scim:schemas:extension:keystone:2.0"
]
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"userName": "alice",
"displayName": "Alice",
"password": "passw0rd_new",
"emails": [
{
"value": "alice@mailhost.com"
}
]
}
Headers
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"totalResults": 24,
"Resources": [...],
"schemas": [
"urn:scim:schemas:core:2.0",
"urn:scim:schemas:extension:keystone:2.0"
]
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"name": "Name of organization",
"is_default": true,
"domain_id": "domain",
"active": true,
"id": "ID"
}
Headers
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"name": "org1",
"is_default": true,
"urn:scim:schemas:extension:keystone:2.0": {
"domain_id": "default"
},
"active": true,
"id": "22928e07c0bd4063a7f0bb8c826b0a18",
"schemas": [
"urn:scim:schemas:core:2.0",
"urn:scim:schemas:extension:keystone:2.0"
]
}
Headers
Content-Type: application/json
X-Auth-token: tokenBody
{
"name": "New name of organization",
"is_default": true,
"domain_id": "domain",
"active": true,
"id": "ID"
}
Headers
Content-Type: application/jsonHeaders
X-Auth-token: tokenHeaders
Content-Type: application/jsonBody
{
"sort": {
"supported": false
},
"bulk": {
"maxPayloadSize": 0,
"supported": false,
"maxOperations": 0
},
"changePassword": {
"supported": true
},
"xmlDataFormat": {
"supported": false
},
"information": {
"basicUsers": 1,
"totalCloudOrganizations": 12,
"totalUserOrganizations": 24,
"communityUsers": 0,
"totalUsers": 12,
"trialUsers": 0,
"totalResources": 48
},
"documentationUrl": "https://github.com/ging/fi-ware-idm/wiki/SCIM-2.0-API",
"patch": {
"supported": true
},
"filter": {
"supported": true,
"maxResults": 9223372036854775807
},
"etag": {
"supported": false
},
"schemas": [
"urn:scim:schemas:core:2.0:ServiceProviderConfig"
],
"authenticationSchemes": [
{
"name": "Keytone Authentication",
"documentationUrl": "http://keystone.openstack.org/",
"primary": true,
"specUrl": "http://specs.openstack.org/openstack/keystone-specs",
"type": "keystonetoken",
"description": "Authentication using Keystone"
}
]
}
The editors would like to express their gratitude to all the people that have contributed to this specification.