Releases · FIWARE/api-umbrella

Following are the changes in this release

Enables to allow for validation of JWTs created and signed by external IDPs
External in the sense that these IDPs are not part of the hosting environment of API-Umbrella
External IDPs can be added together with their JWT signing secret via dedicated API endpoint and must be linked to an organization within the Keyrock IDP of API-Umbrella
JWTs added as header in requests to API-Umbrella get validated against the secret for the particular IDP
JWTs of external IDPs can then contain user roles for authorization and must match an equal role assigned to the organization within the Keyrock IDP of API-Umbrella

Integration of an attribute-based and iSHARE-compliant policy based authorization mode for NGSI-LD requests
API-Umbrella evaluates incoming NGSI-LD requests and determines automatically the necessary policies
Supported requests: HTTP GET, POST, PATCH, DELETE; upsert batch operations not supported for the moment
Policies are checked against local and external authorisation registries according to the iSHARE scheme depending on the delegation of the policies
Access for the request is granted if the requester's policies match the required policies for the NGSI-LD request under consideration of the delegation chain of requester's policies so that the final policy must have been issued by the organization hosting the environment for API-Umbrella
The requesters JWT can either contain information about the external authorisation registry so that API-Umbrella will request the requester's policies from there, or the requester's policies are already encoded within the JWT
JWTs must be signed using JWS standard with RS256 and must contain the complete certification chain in the x5c header (also see: https://dev.ishareworks.org/introduction/jwt.html)
API-Umbrella validates JWTs based on the certificate chain and known root CA
Data exchange with authorisation registries is performed based on the iSHARE scheme

Provide feedback