Active development moved to https://github.com/cfpb/hmda-platform/tree/master/auth
This project provides OpenID Connect-based
authentication and authorization services for all HMDA APIs and web applications
with identity requirements. This currently includes the
hmda-platform
and
hmda-platform-ui
projects,
though may support more in the future.
- Keycloak - Open-source identity management, with full OpenID Connect support.
- mod_auth_openidc - Open-source OpenID Connect authentication and authorization proxy.
This project has been fully Docker-ized. Docker is all you need to launch the full stack!
This project is intended to be run from hmda-platform
's
Docker Compose setup, configured in hmda-platform/docker-compose.yml
.
Please see the instructions in that repo
for details on how to launch the system.
The Keycloak Docker image comes with the default "master" (admin) realm, and a "hmda" realm configured
for integrating with the oidc-client webapp. If you want to persist changes to "hmda", edit
keycloak/import/hmda-realm.json
. This file is copied in during the Docker built, and applied to
Keycloak via its Import/Export
functionality.
When experimenting with Keycloak setting, it is easier to use the admin UI to make changes. Below are the steps used when creating the "hmda" realm and its "hmda-api" client.
- Login to Keycloak master realm by browsing to https://192.168.99.100:8443/auth/admin/.
- Create the HMDA realm.
- Mouse-over Master header.
- Select the Add realm button.
- Add "hmda" to Name field.
- Select the Create button.
- On the Login tab, set the following and select Save:
- User registration: ON
- Email as username: ON
- Edit username: OFF
- Forgot password: ON
- Remember Me: OFF
- Verify email: ON
- Login with email: ON
- Require ssl: all requests
- On the Email tab, set following and click Save:
- Host: mail_dev
- From: noreply@cfpb.gov
- On the Themes tab, set following and select Save:
- Login Theme: hmda
- Email Theme: hmda
- On the Tokens tab, set the following and select Save:
- Login action timeout: 60 (Minutes)
- User-Initiated Action Lifespan: 60 (Minutes)
- On the Security Defenses / Brute Force Detection tab, set the following and select Save:
- Enabled: ON
- Permanent Lockout: ON
- Configure the realm's Authentication settings:
- Select the Authentication link on the left menu:
- On the Flows tab:
- Select Registration from the dropdown.
- Select the Copy button.
- Enter "registration - hmda" in the New Name field, and select OK.
- Select Add Execution action for Registration - Hmda Registration Form.
- Select Institution Validation for Provider, and select Save.
- Select Delete action for Recaptcha.
- Select REQUIRED for Institution Validation.
- On the Bindings tab, set the following and select Save:
- Set Registration Flow to registration - hmda.
- On the Password Policy tab, set these policies and select Save:
- Expire Password: 90
- Minimum Length: 12
- Not Recently Used: 10
- Uppercase Characters: 1 (Default)
- Lowercase Characters: 1 (Default)
- Digits: 1 (Default)
- Special Characters: 1 (Defaul)
- Not Username (No value to set here)
- Hashing Iterations: 27500 (Default)
- Add a hmda-api OpenID Connect client.
- Select the Clients link on left menu, and select Create.
- On the Add Client screen, set the following and Save:
- Client ID: hmda-api
- On the Settings tab, change the following and Save:
- Standard Flow Enabled: OFF
- Implicit Flow Enabled: ON
- Direct Access Grant Enabled: OFF
- Valid Redirect URIs:
- Web Origins: *
- On the Mappers tab, click Create, set the following, and Save:
- Name: Institutions
- Consent Required: OFF
- Mapper Type: User Attribute
- User Attribute: institutions
- Token Claim Name: institutions
- Claim JSON Type: String
- Add to ID token: ON
- Add to access token: ON
- Add to userinfo: ON
- Multivalued: OFF
Once you've jumped through all of these setup hoops, you're ready to authenticate.
When integrating with your own app, the following are the most important configs. Defaults should work for the rest of the usual OIDC settings.
- Discovery Endpoint: https://192.168.99.100:8443/auth/realms/hmda/.well-known/openid-configuration
- Client ID: hmda-api
The following services are included in the Docker Compose config.
Keycloak acts as an OpenID Connect Identity Provider. It is available at:
Secure API Gateway protecting HMDA APIs with auth requirements
- https://192.168.99.100:4443 - Auth Proxy Status
- https://192.168.99.100:4443/hmda/ - Protected HMDA Filing API
Several of Keycloak's identity manangement workflows involve email confirmation. In order to test this locally, we've included the MailDev service. All emails sent by Keycloak can be viewed at:
If you have questions, concerns, bug reports, etc, please file an issue in this repository's Issue Tracker.
- Related projects