Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IdentityHub AuthenticationFailed with Admin User #512

Closed
ma3u opened this issue Jan 6, 2025 · 4 comments · Fixed by #515
Closed

IdentityHub AuthenticationFailed with Admin User #512

ma3u opened this issue Jan 6, 2025 · 4 comments · Fixed by #515
Assignees
@paullatzelsperger
Labels
bug Something isn't working documentation Improvements or additions to documentation

Comments

@ma3u
Copy link

ma3u commented Jan 6, 2025
edited
Loading

Bug Report

Describe the Bug

Swagger OPEN API: Identity API - getAllCredentials

Get all credentials with super user key:

curl -v -X POST \
     -H "x-api-key: demo-accounts-key" \
     "http://localhost:8182/api/identity/v1alpha/credentials"

* Host localhost:8182 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8182...
* Connected to localhost (::1) port 8182
> POST /api/identity/v1alpha/credentials HTTP/1.1
> Host: localhost:8182
> User-Agent: curl/8.7.1
> Accept: */*
> x-api-key: c3VwZXItdXNlcgo=c3VwZXItc2VjcmV0Cg==
> 
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Date: Mon, 06 Jan 2025 07:51:56 GMT
< Content-Length: 95
< 
* Connection #0 to host localhost left intact
[{"message":"Invalid API token","type":"AuthenticationFailed","path":null,"invalidValue":null}]%

Produce the error message AuthenticationFailed:

Expected Behavior

Started the IdentityHub with super admin and api account role

java -Dweb.http.presentation.port=10001 \
     -Dweb.http.presentation.path="/api/presentation" \
     -Dweb.http.port=8181 \
     -Dweb.http.path="/api" \
     -Dweb.http.identity.port=8182 \
     -Dweb.http.identity.path="/api/identity" \
     -Dedc.ih.api.superuser.key="demo-admin-key" \
     -Dedc.api.accounts.key="demo-accounts-key"\
     -jar launcher/identityhub/build/libs/identity-hub.jar

Get back a list of credentials like documented in the Open API with the correct admin key:

[
  {
    "holderId": "string",
    "id": "string",
    "issuancePolicy": {
      "@type": "SET",
      "assignee": "string",
      "assigner": "string",
      "extensibleProperties": {
        "additionalProp1": {},
        "additionalProp2": {},
        "additionalProp3": {}
      },
      "inheritsFrom": "string",
      "obligations": [
        {
          "action": {
            "constraint": {
              "edctype": "string"
            },
            "includedIn": "string",
            "type": "string"
          },
          "constraints": [
            {
              "edctype": "string"
            }
          ]
        }
      ],
      "permissions": [
        {
          "action": {
            "constraint": {
              "edctype": "string"
            },
            "includedIn": "string",
            "type": "string"
          },
          "constraints": [
            {
              "edctype": "string"
            }
          ],
          "duties": [
            {
              "action": {
                "constraint": {
                  "edctype": "string"
                },
                "includedIn": "string",
                "type": "string"
              },
              "constraints": [
                {
                  "edctype": "string"
                }
              ]
            }
          ]
        }
      ],
      "profiles": [
        "string"
      ],
      "prohibitions": [
        {
          "action": {
            "constraint": {
              "edctype": "string"
            },
            "includedIn": "string",
            "type": "string"
          },
          "constraints": [
            {
              "edctype": "string"
            }
          ],
          "remedies": [
            {
              "action": {
                "constraint": {
                  "edctype": "string"
                },
                "includedIn": "string",
                "type": "string"
              },
              "constraints": [
                {
                  "edctype": "string"
                }
              ]
            }
          ]
        }
      ],
      "target": "string"
    },
    "issuerId": "string",
    "participantId": "string",
    "reissuancePolicy": {
      "@type": "SET",
      "assignee": "string",
      "assigner": "string",
      "extensibleProperties": {
        "additionalProp1": {},
        "additionalProp2": {},
        "additionalProp3": {}
      },
      "inheritsFrom": "string",
      "obligations": [
        {
          "action": {
            "constraint": {
              "edctype": "string"
            },
            "includedIn": "string",
            "type": "string"
          },
          "constraints": [
            {
              "edctype": "string"
            }
          ]
        }
      ],
      "permissions": [
        {
          "action": {
            "constraint": {
              "edctype": "string"
            },
            "includedIn": "string",
            "type": "string"
          },
          "constraints": [
            {
              "edctype": "string"
            }
          ],
          "duties": [
            {
              "action": {
                "constraint": {
                  "edctype": "string"
                },
                "includedIn": "string",
                "type": "string"
              },
              "constraints": [
                {
                  "edctype": "string"
                }
              ]
            }
          ]
        }
      ],
      "profiles": [
        "string"
      ],
      "prohibitions": [
        {
          "action": {
            "constraint": {
              "edctype": "string"
            },
            "includedIn": "string",
            "type": "string"
          },
          "constraints": [
            {
              "edctype": "string"
            }
          ],
          "remedies": [
            {
              "action": {
                "constraint": {
                  "edctype": "string"
                },
                "includedIn": "string",
                "type": "string"
              },
              "constraints": [
                {
                  "edctype": "string"
                }
              ]
            }
          ]
        }
      ],
      "target": "string"
    },
    "state": 0,
    "timeOfLastStatusUpdate": "2025-01-06T07:47:48.607Z",
    "timestamp": 0,
    "verifiableCredential": {
      "credential": {
        "credentialStatus": [
          {
            "additionalProperties": {
              "additionalProp1": {},
              "additionalProp2": {},
              "additionalProp3": {}
            },
            "id": "string",
            "type": "string"
          }
        ],
        "credentialSubject": [
          {
            "id": "string"
          }
        ],
        "description": "string",
        "expirationDate": "2025-01-06T07:47:48.607Z",
        "id": "string",
        "issuanceDate": "2025-01-06T07:47:48.607Z",
        "issuer": {
          "additionalProperties": {
            "additionalProp1": {},
            "additionalProp2": {},
            "additionalProp3": {}
          },
          "id": "string"
        },
        "name": "string",
        "type": [
          "string"
        ]
      },
      "format": "JSON_LD",
      "rawVc": "string"
    }
  }
]
@github-actions github-actions bot added the triage all new issues awaiting classification label Jan 6, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 6, 2025

Thanks for your contribution 🔥 We will take a look asap 🚀

@paullatzelsperger
Copy link
Member

paullatzelsperger commented Jan 7, 2025
edited
Loading

IdentityHub does not have a built-in super user or admin user, nor does it have facilities to create one. While the role definition itself exists (in fact, it's the only role that exists), a super user is not generated. This is the job of downstream distributions.

The line in the README is an artifact of times past, I'll remove it.

@paullatzelsperger paullatzelsperger mentioned this issue Jan 7, 2025
Merged
@paullatzelsperger paullatzelsperger self-assigned this Jan 7, 2025
@paullatzelsperger paullatzelsperger added bug Something isn't working documentation Improvements or additions to documentation and removed triage all new issues awaiting classification labels Jan 7, 2025
@ma3u
Copy link
Author

ma3u commented Jan 7, 2025
edited
Loading

@paullatzelsperger : How I fix the "Invalid API token" ERROR during the API Request? Both keys have the same response.

curl -v -X POST \
     -H "x-api-key: demo-accounts-key" \
     "http://localhost:8182/api/identity/v1alpha/credentials"

@paullatzelsperger
Copy link
Member

the API key for the identity API (this is what we call IH's management API) encodes a form of RBAC (role-based access control) and is composed of the participant context ID and a random string, each base64 encoded.

In order to create participant contexts you will need a super user (which isn't created automatically). Please read this document about API security and RBAC.
Check out this API end-to-end test (and others), which demonstrates the use of the IdentityAPI quite clearly, both using the super-user key and other keys.

In addition, I recommend looking at the MVD project, and how the super-user is created there on application start, check this extension class.

TL;DR, you need:

  • a super-user, which is a participant context itself, and with which you can create other participant contexts
  • a participant context (either the super-user, or another one), and their API key. You'll get that API key when creating the user
  • use that API key in all your IdentityAPI requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paullatzelsperger paullatzelsperger

Labels
bug Something isn't working documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: remove any reference to the Admin/Super user paullatzelsperger/IdentityHub
2 participants
@ma3u @paullatzelsperger