Home
![[ India Urban Data eXchange ]](https://github.com/iudx/iudx-auth-server/raw/master/auth.iudx.org.in/iudx.png)
Welcome to the IUDX Authentication, Authentication, and Accounting (AAA) server.
This server serves the IUDX AAA REST APIs which can be called by:
- Data providers (the resource owners)
- Data consumers (users who wish to access one or more data provider's data)
- Resource servers (which hosts the data provider's data)
through HTTPS (using a valid client-side X.509 certificate).
[Note] In the above setup, the Resource server administrator and the Data provider may also be the same person.
The Auth APIs expect the METHOD to be POST.
Inputs/outputs if any, are expected to be in JSON.
And returns:
- 200 on success
- 400 on bad request
- 403 on unauthorized request
On exceptions:
- 402 on payment required (due to insufficient credits)
- 429 on too many requests
- 500 on internal error
-
Get an access token (to be called by data consumers):
/auth/v1/token
-
Set access control polcies (to be called by data providers):
/auth/v1/acl/set
-
Append to existing access control policies (to be called by data providers):
/auth/v1/acl/append
-
Get the current access control policies (to be called by data providers):
/auth/v1/acl
-
Validate an access token (to be called by resource servers):
/auth/v1/token/introspect
-
Revoke tokens (can be called by both data providers and consumers):
/auth/v1/token/revoke
-
Revoke all tokens for a given certificate (can be called by both data providers and consumers):
/auth/v1/token/revoke-all
-
Audit tokens (can be called by both data providers and consumers):
/auth/v1/audit/tokens
-
Add a consumer to a group (to be called by a data provider):
/auth/v1/group/add
-
Delete a consumer from a group (to be called by a data provider):
/auth/v1/group/delete
-
List current consumers in a group (to be called by a data provider):
/auth/v1/group/list
-
Get the user's certificate details (can be called by any user):
/auth/v1/certificate-info
All APIs require a valid client-side certificate (X.509).
Data providers and consumers must have a valid emailAddress field in the certificate.
Where as, the resource server's certificate must have a valid hostname (FQDN) as the Common Name (CN). Also, for a resource server, the hostname in the certificate must match with the IP from where the API is being called.
To get a certificate, please visit any of the following certificate authorities (CA):
- IUDX certificate authority : https://ca.iudx.org.in
- Any licensed CA in India : http://cca.gov.in/licensed_ca.html
- Any standard trusted CA : List of trusted certificate authorities
Please note that: as of now, certificates issued by CAs other than IUDX CA will be considered as:
- class-1 for resource servers.
- class-2 for consumers.
If you wish to get a class-3 or above certificate, please use the IUDX CA or your organization's IUDX-subCA.
There are 5 classes of certificates:
-
class-1: Can only be used by resource servers to validate/introspect their tokens. They can only be used to call the /auth/v1/token/introspect API.
-
class-2: Can be used by a data consumer to request access to protected data. They can only be used to call the /auth/v1/token API.
-
class-3: Can be used by a data consumer to request access to protected data. Can be used by a data provider to set access control policies and create/manage catalog entries.
-
class-4: Can be used by a data consumer to request access to private data.
-
class-5: Can be used by a data consumer to request access to confidential data.
The source code of the AAA server is available at : https://github.com/iudx/iudx-auth-server
The python SDK (pyIUDX) to call the AAA APIs is available at : https://github.com/iudx/pyIUDX
https://www.iudx.org.in/#contact-container
![[ Contact ]](https://github.com/iudx/iudx-auth-server/raw/master/auth.iudx.org.in/bugs.png)