I forgot to mention, but Guillaume, the lead developer for OpenIG, has also started a blog to discuss about Middleware, and share his experience and thoughts about OpenIG.
He has started a great series of posts introducing OpenIG, it’s use cases, some terminology…
I encourage you to take a look at it here : In Between – a Blog by Guillaume Sauthier
In the article that I’ve posted yesterday, I’ve outline portions of configuration files for OpenIG. The configuration is actually only working with the latest OpenIG nightly builds, as it leverages some of the newest updates to the code.
One of the feedback that we got after we released was that configuring OpenIG was still too complex and verbose. So, we’ve made changes to the model, simplifying it, removing intermediate objects… The result is much smaller and easier to understand configuration files, but more importantly, easier to read back and understand the flow they represents.
My colleague Mark has done a great job of describing and illustrating those changes in a few articles :
OpenIG’s improved configuration files (Part 1)
OpenIG: A quick look at decorators
OpenIG’s improve configuration files Part 2
All the sessions from the European IRMSummit that took place early this month in Dublin were recorded, and the videos are now available.
To make it even easier for everyone, our Marketing team has produced playlists according to the agenda :
Enjoy and I hope this will give you envy to be with us next year !
Usually, one of the first thing you want to do when securing APIs is to only allow specifics calls to them. For example, you want to make sure that you can only read to specific URLs, or can call PUT but not POST to other ones.
OpenIG, the Open Identity Gateway, has a everything you need to do this by default using a DispatchHandler, in which you express the methods that you want to allow as a condition.
The configuration for the coming OpenIG 3.1 version, would look like this:
{
"name": "MethodFilterHandler",
"type": "DispatchHandler",
"config": {
"bindings": [
{
"handler": "ClientHandler",
"condition": "${exchange.request.method == 'GET' or exchange.request.method == 'HEAD'}",
"baseURI": "http://www.example.com:8089"
},
{
"handler": {
"type": "StaticResponseHandler",
"config": {
"status": 405,
"reason": "Method is not allowed",
"headers": {
"Allow": [ "GET", "HEAD" ]
}
}
}
}]
}
}
This is pretty straightforward, but if you want to allow another method, you need to update the both the condition and the rejection headers. And when you have multiple APIs with different methods that you want to allow or deny, you need to repeat this block of configuration or make a much complex condition expression.
But there is a simpler way, leveraging the scripting capabilities of OpenIG.
Create a file under your .openig/scripts/groovy named MethodFilter.groovy with the following content:
/**
* The contents of this file are subject to the terms of the Common Development and
* Distribution License 1.0 (the License). You may not use this file except in compliance with the
* License.
* Copyright 2014 ForgeRock AS.
* Author: Ludovic Poitou
*/
import org.forgerock.openig.http.Response
/*
* Filters requests that have the allowedmethods supplied using a
* configuration like the following:
*
* {
* "name": "MethodFilter",
* "type": "ScriptableFilter",
* "config": {
* "type": "application/x-groovy",
* "file": "MethodFilter.groovy",
* "args": {
* "allowedmethods": [ "GET", "HEAD" ]
* }
* }
* }
*/
if (allowedmethods.contains(exchange.request.method)) {
// Call the next handler. This returns when the request has been handled.
next.handle(exchange)
} else {
exchange.response = new Response()
exchange.response.status = 405
exchange.response.reason = "Method not allowed: (" + exchange.request.method +")"
exchange.response.headers.addAll("Allow", allowedmethods)
}
And now in all the places where you need to filter specific methods for an API, just add a filter to the Chain as below:
{
"heap": [
{
"name": "MethodFilterHandler",
"type": "Chain",
"config": {
"filters": [
{
"type": "ScriptableFilter",
"config": {
"type": "application/x-groovy",
"file": "MethodFilter.groovy",
"args": {
"allowedmethods": [ "GET", "HEAD" ]
}
}
}
],
"handler": "ClientHandler"
}
}
],
"handler": "MethodFilterHandler",
"baseURI": "http://www.example.com:8089"
}
This solution allows to filter different methods for different APIs with a simple configuration element, the “allowedmethods” field, for greater reusability.
Earlier this week, a new major version of ForgeRock Community site was pushed to production.
Beside a cleaner look and feel and a long awaited reorganisation of content, the new version enables better collaboration around the open source projects and initiatives. You will find Forums, for general discussions or project specific ones, new Groups around specific topics like UMA or IoT. We’ve also added a calendar with different views, so that you can find or suggest events, conferences, webinars touching the projects and IRM at large.
Great work Aron and Marius for the new ForgeRock.org site ! Thank you.
And we’ve also announced a new project OpenUMA. If you haven’t paid attention to it yet, I suggest you do now. User-Managed Access (UMA) is an OAuth-based protocol that enables an individual to control the authorization of data sharing and service access made by others. The OpenUMA community shares an interest in informing, improving, and extending the development of UMA-compatible open-source software as part of ForgeRock’s Open Identity Stack.
Last week at the nice Powerscourt Estate, outside Dublin, Ireland, ForgeRock hosted the European Identity Relationship Management Summit, attended by over 200 partners, customers, prospects, users of ForgeRock technologies. What a great European IRMSummit it was !
If you haven’t been able to attend, here’s some highlights:
I heard many talks and discussions about Identity being the cornerstone in the digital transformation of enterprises and organizations. It shifting identity projects from a cost center to revenue generators.
There was lots of focus on consumer identity and access management, with some perspectives on current identity standards and what is going to be needed from the IRM solutions. We’ve also heard from security and analytics vendors, demonstrating how ForgeRock’s Open Identity Stack can be combined with the network security layer or with analytics tools to increase security and context awareness when controlling access.
User Managed Access is getting more and more real, as the specifications are getting close to be finalised and ForgeRock announced the OpenUMA initiative for foster ideas and code around it. See forgerock.org/openuma.
Many talks about Internet of Things and especially demonstration around defining the relationship between a Thing and a User, securing the access to the data produced by the Thing. We’ve seen a door lock being unlocked with a NFC enabled mobile phone, by provisioning over the air the appropriate credentials, a smart coffee machine able to identify the coffee type and the user, pushing the data to a web service, and asking the user for consent to share. There’s a common understanding that all the things will have identities and relations with other identities.
There were several interesting discussions and presentations about Digital Citizens, illustrated by reports from deployments in Norway, Switzerland, Nigeria, and the European Commission cross-border authentication initiatives STORK and eIDAS…
Half a day was dedicated to ForgeRock products, with introductory trainings, demonstrations of coming features in OpenAM, OpenDJ, OpenIDM and OpenIG. During the Wednesday afternoon, I did 2 presentations on OpenIG, demonstrating the ease of integration of OAuth2.0 and OpenID Connect to protect applications and APIs, and on OpenDJ, demonstrating the flexibility and power of the REST to LDAP interface.
All presentations and materials are available online as pdf and now as videos on the ForgeRock’s YouTube page. You can also find here a short summary of the Summit in a video produced by Markus.
The summit wouldn’t be such a great conference if there was no plan for social interactions and fun. This year we had a nice dinner in the Powerscourt house (aka the Castle) followed by live music in the pub. The band was great, but became even better when Joni and Eve joined them for a few songs, for the great pleasure of all the guests.
Of course, I have to admit that the best part of the IRM Summit in Ireland was the pints of Guinness !
To all attendees, thank you for your participation, the interesting discussions and the input to our products. I’m looking forward to see you again next year for the 2015 edition. Sláinte !
As usual, you can find the photos that I’ve taken at the Powerscourt Estate on Flickr. Feel free to copy for non commercial use, and if you do republish them, I would appreciate getting the credit for them.
[Updated on Nov 11] Added link to the highlight video produced by Markus
[Updated on Nov 13] Added link to the slideshare folder where all presentations have been published
[Updated on Nob 24] Added link to the all videos on ForgeRock’s YouTube page
Ludo Sketches 