We use proprietary and third party's cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy
Cookies Policy
Identity Management - KeyRock - User and Programmers Guide - FIWARE Forge Wiki

Identity Management - KeyRock - User and Programmers Guide

From FIWARE Forge Wiki

Jump to: navigation, search



This document describes the user and programming guide for Keyrock Identity Management component. Here you will find the necessary steps for use the Keyrock portal for create an account and manage it. You will also learn about role and applications management.

Background and Detail

This User and Programmers Guide relates to the Identity Management GE.

Supported Interfaces

OAuth 2.0
Protocol flow support
Protocol flow Reference to standard http://tools.ietf.org/html/rfc6749 Supported Comment
Authorization code grant 1.3.1, 4.1 supported
Implicit grant 1.3.2, 4.2 supported
Resource owner password credentials grant 1.3.3, 4.3 supported
Client credentials grant 1.3.4, 4.4 supported

Token support
Token attribute Token attribute value Reference to standard Supported Comment
Token purpose
Authorization code (1.3.1) supported
Access token 1.4 supported
Refresh token 1.5 not supported
Access token type
Bearer http://tools.ietf.org/html/rfc6750 supported
MAC http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 not supported
Token format (self contained token)
JWT / JWS http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-16 not supported
JWT / JWE http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-01 not supported
Token format (reference tokens)
UUID http://www.ietf.org/rfc/rfc4122.txt not supported
not supported

OpenID Connect
OpenID Connect
not supported

SCIM 2.0
Type Reference to standard http://tools.ietf.org/html/draft-ietf-scim-core-schema-02 Supported Comment
not supported
not supported

Rest API
Operation Reference to standard Supported Comment
Creating resources 3.1 supported Only exposed in the back-end API
Retrieving resources 3.2 supported Only exposed in the back-end API
Modifying resources 3.3 supported Only exposed in the back-end API
Deleting resources 3.4 supported Only exposed in the back-end API
Bulk 3.5 not supported
Service Provider Configuration Schema 9 not supported

Multi Tenancy
Supported through OAuth2 client applications. Each application is a Consumer that is able to access a different set of resources, as described in the SCIM REST API specification (section 4). The application (tenant) is identified by the presented OAuth access token.
SAML 2.0
not supported

User Guide

Using the web portal of KeyRock

Although every user of KeyRock will access the web portal with individual credentials, the following description uses a test account. In every KeyRock instance the web portal can be accessed at https://account.lab.fiware.org/.

Logging in

Go to "Sign in" if you heave previously created an account, otherwise "Sign up" to create a new account, Figure 1.

Figure 1: KeyRock Login Page

Figure 2 shows the homepage after you log in successfully.

There are two main sections, Applications and Organizations. In the Applications section you can register new application by clicking on "Register".

Registering an application

Figure 2: KeyRock Home Page

In the next step you have to give the application a name, description, URL and callback URL - required by the OAuth 2.0 Protocol.

Click on "Next" (Figure 3).

Figure 3: KeyRock Register Application

In the second step the application's logo will be loaded by selecting a valid file type. You have the option to re-frame the chosen image.

Click on "Crop Image" when you complete this process and then click "Next" as shown on Figure 4.

Figure 4: KeyRock Edit Application Logo

In the third step we set up the roles and permissions of the application. You will find the two possible roles: Provider and Purchaser.

You can edit the permission for each of the roles or create new roles. Click on "New role" and write the name of role, after that click "Save".

You can configure the permissions for the new role by activating the corresponding check box.

You are also permitted to add up new permissions by clicking on "New Permission". Here you need to enter the name of the permission, description, HTTP verb (GET, PUT, POST, DELETE) and the Path to that permission, Figure 5.

Click "Create Permission" and "Finish" to finalize with creating the application.

Figure 5: KeyRock New Roles and Permissions

Managing roles

Look at the vertical menu on the left (Figure 6). You went from Home to Applications. Here you can see the application you've just created.

At the bottom you can manage the roles of the users. You can add new users on the "Add" button.

It shows a modal where you can manage Users and Groups. You can see the users and their initially assigned roles.

Choose users and groups to add to the application, then choose their initial role. Click "Add".

Note that you can assign roles a poteriori after the users have been added, by clicking on the roles drop down menu - below the user's icon, as shown on Figure 6.

Figure 6: KeyRock Add Members to Application

Managing organizations

Next head on to the vertical menu and click "Organizations". Click "Create Organization" to register a new organization.

Add the name, choose the owner and write the description of the organization. Click "Create Organization".

You are now redirected to the Home menu on behalf of the newly created organization. Any new application created now, will belong to the organization.

To return to the home of the user go up in the header and click on the name of the organization. Select "Switch session", Figure 7.

Figure 7: KeyRock Create Organization

Programmer Guide

Documentation on KeyRock APIs can be found at KeyRock's wiki


Get a single user

 GET /users/:id
 id: 1,
 actorId: 1,
 nickName: "demo",
 displayName: "Demo user",
 email: "demo@fi-ware.eu",
 roles: [
     id: 1,
     name: "Manager"
     id: 7
     name: "Ticket manager"
 organizations: [
      id: 1,
      actorId: 2,
      displayName: "Universidad Politecnica de Madrid",
      roles: [
          id: 14,
          name: "Admin"

Get authenticated user

 GET /user?access_token=12342134234023437


Get applications from actor (user or organization)

 GET /applications.json?actor_id=1&access_token=2YotnFZFEjr1zCsicMWpAA
   id: 1,
   name: "Dummy",
   description: "FI-WARE demo application",

SCIM 2.0

Get service provider configuration

 GET /v2/ServiceProviderConfigs

Further information

For further information on KeyRock, please refer to the step-by-step video at: http://help.lab.fi-ware.org/ clicking on "Help&Info" and choosing "Account", as Figure 8 shows.

Figure 3: KeyRock Screencast

Personal tools
Create a book