This issue tracks the dashboard development for introducing support for hierarchical/nested groups in the IAM (#81).

The groups part of the dashboard is modified to:

• Show the hierarchical structure of groups
• Provide the ability to specify a parent group at group creation time
• In the group display page, specify a "create subgroup" button that allows to create a subgroup

Great work IAM team.

If I can suggest a feature, it could be nice if when I'm using SAML credential after the first IDP selection the WAYF form remember my selection.

In my WAYF I used a drop down menu that permits users to select one of the following options:

• 'Do not remember'
• 'Remember for session'
• 'Remember for a week'

The selection of an option simply set a browser cookie with the duration.

Best regards.
Diego

The deployment test, relying docker-compose, should start the service, run the testsuite against it and report the results.

This is non-backward compatible update that requires:

• a change in the dependency name
• a change in the import classes

See:
https://github.com/rest-assured/rest-assured
https://github.com/rest-assured/rest-assured/wiki/ReleaseNotes30#upgrading

Migrate existing SCIM API tests to MockMVC, trying to split things in a way not to have test classes that are thousands line long and to avoid duplicating stuff.
Ispiration should come from:

https://github.com/indigo-iam/iam/blob/fix/119/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/x509/ScimX509Tests.java

Test classes should ideally only contain tests and inherit fixture from support/utility classes.
MockMVC tests are inherently idempotent (the transaction linked to each test is rolled back after the test, so no particular care is required for cleanup)

This issue tracks design/development of scope policy support in the IAM.

Scope policies provide a way to limit access to scopes only to specific users/groups.

Scope policies are managed by IAM administrators through a scope policy management API that allows to list, create and modify scope policies for specific user/group.

I cannot sign in on https://iam-test.indigo-datacloud.eu/login.

I tried both STFC Shibboleth servers. I tried my id "cm65" and also "clrc\cm65".

The token introspection endpoint should return also the iss claim.

MitreID implementation for the "find all valid access/refresh token for user" loads all issued tokens in memory and then filters by user id:

https://github.com/indigo-iam/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java#L93-L120

This is hardly scalable.
Change the code to let the DB do the joining and filtering.

Currently the IAM leverages the MitreID connect dashboard for client management.
The client management frontend code should be migrated to the IAM angular dashboard, in order
to provide a more consistent web application.

Add ability to authenticate via Github

Currently groups are flat in the IAM.

Add support for enforcing a hierarchical structure over groups. This issue tracks development of
the support for nested groups in the IAM SCIM APIs, while dashboard changes are tracked in #88.

Subtasks

• Changes to the database to have the hierarchical structure reflected in the IAM groups table
• Changes to SCIM API to allow for creation of nested groups
• Tests covering nested group creation and removal

Changes to the database

The parent/child relationship can be easily created with a nullable one-to-many association among the parent and the children. Groups with a null parent are placed at the first level in the hierarchy.

Changes to SCIM API to allow for creation/removal of nested groups

SCIM supports nested groups by allowing a group to be listed as a member of the parent group.
Our current implementation only supports members of type user. The implementation must be changed to support addition/removal of subgroups.

The addition of a subgroup is possible only at group creation time. We are not going to
support "moving" groups in the hierarchical structure.

Tests

Tests, implemented in MockMVC, check the correct behavior of nested group management operations.

As hinted by Bas, the IAM jwk endpoint should be able to honour content-type request for "application/jwk+json" for keys, as stated in https://tools.ietf.org/html/rfc7517 , section 8.5.1

http://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#howto-user-a-random-unassigned-http-port
The random port must be used only when running JUnit integration test, i.e. by default the server still starts and listens on 8080.

The uuid can be created by the IAM at group creation time, like it is done for users.

When registering clients people often feel confused on what options should be selected, what is the difference between client and protected resource etc...

Provide a section on client registration in the IAM documentation, with a brief description of the main OAuth/OIDC roles and what should people do when registering a client.

This work is part of introducing support for SAML Attribute Authorities (AA) in the IAM.

The SAML AA management API provides to IAM administrators the ability to manage SAML AA
configuration, and in particular:

• List currently configured SAML AA
• Create, read, update and delete a SAML AA configuration

Currently we only allow the sending of a reset password email, but having the user directly change his/her password would also be nice.

IAM runs a periodic background task to cleanup expired token and approvals from the IAM database.
The period for this task is currently not configurable.

Currently interesting audit events are logged together with other logging information in the IAM service log. Provide a separate log specific for audit events.

Plan

Define a separate SLF4J logger, and use this logger to log about interesting events.

The log message format should be consistent and well defined and provide information about
who did what on the system.

Interesting events

• Login events (succesful logins and errors)
• User events
  • user creation/removal
  • Profile changes events
    • activation changes
    • name/surname/email/password/username/picture changes
    • add/remove ssh keys
    • add/remove certificates
• Group events
  • creation/removal
  • Membership events (add to/remove from groups)

According to OpenID's specification (https://openid.net/specs/openid-connect-basic-1_0.html#Scopes) the "openid" scope is mandatory. However, a user can uncheck it (actually, it is not checked by default), therefore a request using an scope like "openid profile" will fail with the following error:

RESP BODY: {"error":"invalid_scope","error_description":"Invalid scope; requested:[openid, profile]","scope":"address phone email profile"}

I think that "openid" should be uncheckable, or at least it should be checked by default.

The token exchange granter is currently too restrictive in how it handles the audience request parameter:

https://github.com/indigo-iam/iam/blob/master/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/TokenExchangeTokenGranter.java#L72

The audience should be optional, and should only be used to add an "aud" field to the new issued token, to scope it to only a given set of resources.

OTOH, now it is wrongly used to resolve the client that receives the delegation:
https://github.com/indigo-iam/iam/blob/master/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/TokenExchangeTokenGranter.java#L78

The logic should be changed as follows:

the client that receives the delegation is the client requesting it (i.e. the one that authenticates to the token endpoint)
the client that is delegating is resolved from the incoming subject_token

blah

This work is part of introducing support for SAML Attribute Authorities (AA) in the IAM.

This issue tracks the implementation of the attribute query against enabled SAML AAs after a successful SAML authentication.

Requirements:

• The failure of an attribute query must not cause a failure of the SAML authentication

The dashboard invokes an SCIM patch operation, but sends an empty password, and this makes the database update fail.

1. A patch with an empty email should trigger an error before reaching the database (an update with an empty email should never be accepted)
2. The dashboard should send in the SCIM patch request only the fields that are actually changed by the user

Local and external authentication are logged for auditing purposes.
Authentication success with the password grant, otoh, are not logged.

The IAM, like VOMS, should provide a way to present the user an AUP document at registration time, and give the possibility to request a new signature on the AUP periodically.

Split those docs in two markdown files for easier readability/navigation

Add the ability to enable/support external Github authentication in the IAM

This could confuse client libraries.

Example:

with prompted email "[email protected]"

Token exchange documentation is not really helpful.

The documentation should give users all the informations needed to make a token exchange request, providing curl examples that show how requests are built and the structure of the expected responses from the server.

Currently, the IAM requires that users provide information and later create a password, once their membership request is approved by an administrator.

The registration flow should be improved to let users authetnicate with an external authentication provider (Google, SAML), fetching user profile information from the information returned by such provider (e.g., email as extratected from the Google userinfo endpoint or the SAML assertion returned by the external IdP).

Add support for ORCID external authentication

Currently the IAM leverages the MitreID connect dashboard for scope management.
The scope management frontend code should be migrated to the IAM angular dashboard, in order
to provide a more consistent web application.

Useful references

• System scope API documentation
• Current Mitre Dashboard code

Provide an API to manage IAM authorities (e.g., administrative privileges) for registered users, and provide integration in the administration dashboard to grant admnistrative privileges to selected users.

Latest spring boot major release is 1.5.12:

https://docs.spring.io/spring-boot/docs/1.5.12.RELEASE/reference/htmlsingle/

Re-check if IAM can upgraded smoothly

See:

http://docs.spring.io/spring-boot/docs/1.3.5.RELEASE/reference/htmlsingle/#boot-features-testing-spring-boot-applications

The random port should also be used for relying service (i.e. the mock SMTP server).

See also:

http://docs.spring.io/spring-boot/docs/1.3.5.RELEASE/reference/htmlsingle/#boot-features-external-config-random-values

Currently, the IAM dashboard is implemented in Javascript leveraging AngularJS 1.6.1.
This issue is to track the migration to Angular2/Typescript, which provides a superior development/testing environment.

Spring boot actuator provides endpoints for checking service status and metrics.

http://docs.spring.io/spring-boot/docs/1.3.8.RELEASE/reference/htmlsingle/#production-ready

The SAML external authentication filter does some checks on incoming SAML assertions. If the assertion is "old" the authentication fails. It should be possible to define, in the IAM configuration, when SAML asssertions and response should be considered "old"

Requests for audience enforcement are correctly handed by the token exchange endpoint.
Make sure the audience can be enforced also in standard OIDC/OAuth flows (code, client credentials, password)