INDIGO IAM Dashboard

INDIGO IAM Dashboard is the web application of INDIGO IAM developed by INFN.

Introduction

The dashboard is implemented in TypeScript, using React and Next.js. OpenID Connect/OAuth2 authorization flow is handled by Auth.js.

In order to run the web application, working INDIGO IAM instance is required.

IAM Client Configuration

The dashboard acts as a INDIGO IAM Login Service client and thus, registering the client is required to receive an access token.

To register a new client, go to the chosen INDIGO IAM instance, login as admin and create a new client with the configuration described below.

Redirect URIs

In the client main page, add all needed redirect uris, in the form of <IAM_URL>/auth/callback/indigo-iam (without the trailing /).

To enable development of the dashboard on your local machine, the redirect uri must be

http://localhost:3000/auth/callback/indigo-iam

For a production deployment, the redirect uri will be, for example

https://iam-dashboard.cloud.cnaf.infn.it/auth/callback/indigo-iam

where https://iam-dashboard.cloud.cnaf.infn.it is the URL where the dashboard is located.

Scopes

In the Scopes tab, assure that the following scopes are enabled

• email
• openid
• profile
• scim:read
• scim:write
• iam:admin.read
• iam:admin.write

Grant Types

In the Grant Types tab, enable authorization_code. Finally, in the Crypto section, enable PKCE with SHA-256 has algorithm.

Development

To launch the development environment, an installation of Node.js is the only mandatory requirement. This project currently relies upon Node 22 LTS.

Create the .env file

Create a file named .env located to the project root directory and define the following variables:

# .env
NODE_ENV=debug
IAM_AUTHORITY_URL=https://iam-dev.cloud.cnaf.infn.it # or http://localhost:8081
IAM_CLIENT_ID=<your_client_id>
IAM_CLIENT_SECRET=<your_client_secret>
IAM_SCOPES="openid profile scim:read scim:write iam:admin.read iam:admin.write"
AUTH_SECRET=<authentication_secret>                  # see below

Imporant: AUTH_SECRET is a variable to securely protect session cookies for authentication. You could generate a secret running

openssl rand -base64 32

Note this is considered a sensitive credentials do decrypt session cookies and thus the Access Token. Do not share the secret especially the once generated for production deployment.

Local development

First install the required dependencies with

npm run install

and then start the Next.js development server running

npm run dev

Something similar to the following should be prompted:

> iam-dashboard@0.1.0 dev
> next dev

  ▲ Next.js 14.2.2
  - Local:        http://localhost:3000
  - Environments: .env

 ✓ Starting...
 ✓ Ready in 9.5s

The dashboard is then available at http://localhost:3000.

Deployment

A Docker image is automatically built using GitHub Action. The same environment variables are required, plus the AUTH_URL variable. The latter is need when the application is behind a docker image or proxy which hides the current hostname.

Create the following environment file, giving your preferred name, for example prod.env

# prod.env
NODE_ENV=production
IAM_AUTHORITY_URL=https://iam-dev.cloud.cnaf.infn.it
IAM_CLIENT_ID=<your_client_id>
IAM_CLIENT_SECRET=<your_client_secret>
IAM_SCOPES="openid profile scim:read scim:write iam:admin.read iam:admin.write"
AUTH_SECRET=<authentication_secret>
AUTH_URL=<dashboard_hostname>  # e.g. https://iam-dashboard.cloud.cnaf.infn.it

To start the application run

docker run -p <some-port>:80 --env-file=prod.env cnafsoftwaredevel/iam-dashboard:latest

TODOs

General

• Sudo mode (panic!)
• Add Table component

Home page

• Validate password before submission
• What happens if I change password when there is no password at all?
• Finish the "Add to group" functionality
• Add "Change membership end time"
• Add "Link external account" feature
• Add "Link Certificate"
• Add "Request Certificate"
• Add "Add managed proxy certificate"
• Add "Add ssh key"
• Add "Set attribute"

Users Page

• Create the users table
• Add "Delete user" button per each row
• Maybe add a multiple selection to delete multiple users in bulk

Groups Page

• Create the groups page
• Add "Add Root Group" feature
• Add "Add Subgroup" button per each row
• Add "Delete Group" button per each row

Requests Page

• Create "Registration Request" tab
• Create "Group requests" tab

AUP Page

• Add "Edit AUP"
• Add "Request AUP Signature"
• Add "Delete AUP"

Clients Page

• Add Clients table
• Add "New Client"
• Add "Edit client" per each row
• Add "Delete client" per each row
• Add Client "edit" page with tabs (todo, form submission):
  • Main (client name, client id, client description, redirect URIs, contacts, etc)
  • Credentials (Token endpoint auth method, client secret, registration access token, regenerate registration a.c., Public key set, JWK URI)
  • Scopes (System scope, Custom scope)
  • Grant types
  • Tokens (A.T. timeout, ID T. timeout, R.T settings & timeout, Device code timeout)
  • Crypto (PKCE settings)
  • Other info (Homepage URL, ToS, Policy)
  • Owners (Show owners, assign owner)

Tokens Page

• TBD

Scopes

• Add Scopes table
• Add "Edit Scope" button per each row (Description, default scope, restricted)
• Add "Delete scope" button per each row