# IAM components

The [DOME IAM-Framework](https://github.com/DOME-Marketplace/iam-components) is a set of microservices, that enables users in the DOME ecosystem to authenticate into the [DOME Marketplace](https://dome-marketplace.org/). The authentication process itself is described further below in the [Authentication](https://github.com/DOME-Marketplace/integration-guide?tab=readme-ov-file#authentication) section.

#### Overview and subcomponents

The DOME IAM-Framework consists of multiple open-source components. The components are not required to be used, as long as alternatives providing the same interfaces are used.

The IAM-Framework consists of following components:

[![IAM-components](https://github.com/DOME-Marketplace/integration-guide/raw/main/doc/img/iam.png)](https://github.com/DOME-Marketplace/integration-guide/blob/main/doc/img/iam.png)

- The [Trusted Issuers List](https://github.com/fiware/trusted-issuers-list) service provides an [EBSI Trusted Issuers Registry](https://hub.ebsi.eu/apis/pilot/trusted-issuers-registry/v4) implementation to act as the Trusted-List-Service in the DSBA Trust and IAM Framework. In addition, a Trusted-Issuers-List API is provided to manage the issuers.
- [VCVerifier](https://github.com/fiware/vcverifier) provides the necessary endpoints to offer SIOP-2/OIDC4VP compliant authentication flows. It exchanges VerifiableCredentials for JWT, that can be used for authorization and authentication in down-stream components.
- [Credentials Config Service](https://github.com/fiware/credentials-config-service) manages and provides information about services and the credentials they are using. It returns the scope to be requested from the wallet per service. Furthermore, it specifies the credentials required and the issuers list endpoints to validate against, when checking access for a certain service.
- The [Keycloak-VC-Issuer](https://github.com/fiware/keycloak-vc-issuer) is plugin for Keycloak to support SIOP-2/OIDC4VP clients and issue VerifiableCredentials through the OIDC4VCI-Protocol to compliant wallets.
- [PDP](https://github.com/fiware/dsba-pdp) is an implementation of a Policy-Decision Point, evaluating Json-Web-Tokens containing VerifiableCredentials in a DSBA-compliant way. It also supports the evaluation in the context of i4Trust.
- [Keyrock](https://github.com/ging/fiware-idm) is the FIWARE component responsible for Identity Management. Within DOME IAM-Framework, currently Keyrock is being used as the iSHARE-compliant Authorization Registry (see for details: [https://dev.ishare.eu/delegation/endpoint.html](https://dev.ishare.eu/delegation/endpoint.html)), where attribute-based access policies are stored and used during the authorization process. Note, that this will be replaced by an ODRL-compliant policy registry. A description of the policies is given in the [policies](https://github.com/DOME-Marketplace/integration-guide?tab=readme-ov-file#policies) section.
- [Kong Plugins](https://github.com/fiware/kong-plugins-fiware) allow to extend the API Gateway Kong by further functionalities. Kong Gateway is a lightweight, fast, and flexible cloud-native API gateway. One of the plugins is the PEP plugin, which is especially required within the IAM-components as PEP component and interacts with the PDP mentioned above.
- [Waltid](https://github.com/walt-id/waltid-ssikit) manages Keys, DIDs and VCs. It is used by VC Issuer and VCVerifier.

#### How to deploy

The recommended way of deployment is via the provided [Helm charts](https://github.com/DOME-Marketplace/iam-components).

To deploy a setup, the [umbrella chart](https://helm.sh/docs/howto/charts_tips_and_tricks/#complex-charts-with-many-dependencies) of the iam-components can be used as followed:

- create a configuration values file according to the own environment, as described [here](https://github.com/DOME-Marketplace/integration-guide?tab=readme-ov-file#how-to-configure-1).
- add helm chart repository to helm installation
    
    <div><div class="cm-editor ͼ1 ͼ2 ͼ4 ͼ1s"><div class="cm-scroller" tabindex="-1"><div aria-multiline="true" aria-readonly="true" autocapitalize="off" autocorrect="off" class="cm-content" contenteditable="true" role="textbox" spellcheck="false" translate="no"><div class="cm-line">helm repo add dome-iam https://dome-marketplace.github.io/iam-components</div><div class="cm-line">helm repo update</div></div><div aria-hidden="true" class="cm-layer cm-layer-above cm-cursorLayer">  
    </div></div><button class="cm-copy-button" type="button"><svg height="16" viewbox="0 0 24 24" width="16" xmlns="http://www.w3.org/2000/svg"></svg></button></div></div><div class="snippet-clipboard-content notranslate position-relative overflow-auto"><div class="zeroclipboard-container"><svg aria-hidden="true" class="octicon octicon-copy js-clipboard-copy-icon" data-view-component="true" height="16" version="1.1" viewbox="0 0 16 16" width="16"></svg>  
    </div></div>> ? All releases of the IAM-components reside in the helm-repository [https://dome-marketplace.github.io/iam-components](https://dome-marketplace.github.io/iam-components). In addition to that, all Pre-Release versions(build from the Pull Requests) are provided in the pre-repo [https://dome-marketplace.github.io/iam-components/pre](https://dome-marketplace.github.io/iam-components/pre). The pre-repo will be cleaned-up from time to time, in order to keep the index manageable.
- install the components using the prepared configuration
    
    <div><div class="cm-editor ͼ1 ͼ2 ͼ4 ͼ1t"><div class="cm-scroller" tabindex="-1"><div aria-multiline="true" aria-readonly="true" autocapitalize="off" autocorrect="off" class="cm-content" contenteditable="true" role="textbox" spellcheck="false" translate="no"><div class="cm-line">helm install &lt;RELEASE_NAME&gt; dome-iam/iam-components --namespace &lt;NAME_SPACE&gt; --version &lt;CHART_VERSION&gt; -f values.yaml</div></div><div aria-hidden="true" class="cm-layer cm-layer-above cm-cursorLayer">  
    </div></div><button class="cm-copy-button" type="button"><svg height="16" viewbox="0 0 24 24" width="16" xmlns="http://www.w3.org/2000/svg"></svg></button></div></div>

#### How to configure

The chart is released with a set of documented [default values](https://github.com/DOME-Marketplace/iam-components/blob/main/charts/iam-components/values.yaml). The parameters listed below are important to set and should be updated at least:

- `rbac` and `serviceAccount`: Depending on your requirements, you might need to adapt settings for RBAC and service account
- `did`s of participants: Replace/add the DIDs of the issuer and other participants
- In the case of did:key provide correct key in [keyfile.json](https://github.com/DOME-Marketplace/iam-components/blob/main/charts/iam-components/templates/keycloak.yaml) for your issuer
- `keycloak.frontendUrl`: Externally accessible address of the keycloak (should be the same as defined in ingress/route)
- `keycloak.realm`: Adapt clients, users and roles according to your needs
- `<tir.com>`: replace everywhere with actual TIR URL
- `<dome-marketplace.org>`: replace with your own domain
- `keyrock.initData.scriptData`: Adapt the roles as in keycloak realm
- `kong.configMap`: Adapt the kong services and their routes

However, it is suggested to consult the respective charts listed below and check their documentation and configuration.

<table id="bkmrk-component-chart-post"><thead><tr><th>Component</th><th>Chart</th></tr></thead><tbody><tr><td>postgresql</td><td>[https://github.com/bitnami/charts/tree/main/bitnami/postgresql](https://github.com/bitnami/charts/tree/main/bitnami/postgresql)</td></tr><tr><td>mysql</td><td>[https://github.com/bitnami/charts/tree/main/bitnami/mysql](https://github.com/bitnami/charts/tree/main/bitnami/mysql)</td></tr><tr><td>vcwaltid</td><td>[https://github.com/i4Trust/helm-charts/tree/main/charts/vcwaltid](https://github.com/i4Trust/helm-charts/tree/main/charts/vcwaltid)</td></tr><tr><td>keycloak</td><td>[https://github.com/bitnami/charts/tree/main/bitnami/keycloak](https://github.com/bitnami/charts/tree/main/bitnami/keycloak)</td></tr><tr><td>credentials-config-service</td><td>[https://github.com/FIWARE/helm-charts/tree/main/charts/credentials-config-service](https://github.com/FIWARE/helm-charts/tree/main/charts/credentials-config-service)</td></tr><tr><td>trusted-issuers-list</td><td>[https://github.com/FIWARE/helm-charts/tree/main/charts/trusted-issuers-list](https://github.com/FIWARE/helm-charts/tree/main/charts/trusted-issuers-list)</td></tr><tr><td>vcverifier</td><td>[https://github.com/i4Trust/helm-charts/tree/main/charts/vcverifier](https://github.com/i4Trust/helm-charts/tree/main/charts/vcverifier)</td></tr><tr><td>keyrock</td><td>[https://github.com/FIWARE/helm-charts/tree/main/charts/keyrock](https://github.com/FIWARE/helm-charts/tree/main/charts/keyrock)</td></tr><tr><td>dsba-pdp</td><td>[https://github.com/FIWARE/helm-charts/tree/main/charts/dsba-pdp](https://github.com/FIWARE/helm-charts/tree/main/charts/dsba-pdp)</td></tr><tr><td>kong</td><td>[https://github.com/Kong/charts/tree/main/charts/kong](https://github.com/Kong/charts/tree/main/charts/kong)</td></tr></tbody></table>

#### How to validate a deployment

All components are configured with health and readiness checks to validate their own status, therefore being the base for a validation. These checks are utilized in the Kubernetes checks as defined in the helm charts.

#### How to operate

The underlying database service holds the persisted data and therefore requires a backup&amp;recovery mechanism when operated in a production environment. The use of managed database is strongly encouraged for safety and convenience.

#### How to update

Upgrade to both a different chart version and new configuration can be accomplished with the following command

<div id="bkmrk-helm-upgrade-%3Creleas"><div class="cm-editor ͼ1 ͼ2 ͼ4 ͼ1u"><div class="cm-scroller" tabindex="-1"><div aria-multiline="true" aria-readonly="true" autocapitalize="off" autocorrect="off" class="cm-content" contenteditable="true" role="textbox" spellcheck="false" translate="no"><div class="cm-line">helm upgrade &lt;RELEASE_NAME&gt; dome-iam/iam-components --namespace &lt;NAME_SPACE&gt; --version &lt;CHART_VERSION&gt; -f values.yaml</div></div><div aria-hidden="true" class="cm-layer cm-layer-above cm-cursorLayer">  
</div></div><button class="cm-copy-button" type="button"><svg height="16" viewbox="0 0 24 24" width="16" xmlns="http://www.w3.org/2000/svg"></svg></button></div></div><div class="snippet-clipboard-content notranslate position-relative overflow-auto" id="bkmrk--3"><div class="zeroclipboard-container"><svg aria-hidden="true" class="octicon octicon-copy js-clipboard-copy-icon" data-view-component="true" height="16" version="1.1" viewbox="0 0 16 16" width="16"></svg>  
</div></div>#### Release process

Versioning of the main iam-components helm chart is handled based on the labels used in the pull requests used to introduce changes and is enforced in the [build pipeline](https://github.com/DOME-Marketplace/iam-components/tree/main/.github/workflows). The requester and reviewers must set the label according to the [SemVer 2.0.0](https://semver.org/) versioning scheme.

Versioning of the components and sub-charts is recommended to use the same scheme.

#### Troubleshooting

> To be filled once feedback from integrators comes in