Identity Management

1. identity management and authentication

Authentication and User Management System. Authentication is performed by user name/email and password. This machine provides an OAuth Authorization and Resource Server.

Attributes of a user:

• ID

• username

• email

• password

1.1. registration

• a user must be able to log in with user name and password

• a user must alternatively be able to login with email address and password

• A registration with email can only be made if the email has been assigned once

• Login is successful only when the user is enabled

• If the password is entered incorrectly n times within x minutes, the account is blocked for y minutes (brute force protection)

• If an account is blocked, no further login is possible

• A block is automatically removed after n minutes

• A lock can be manually unlocked in the admin area

• When an account is blocked, the owner receives an email about the process

1.2. registration

-> Is done via the Membership Management of the NewsRoom -> Data via API to Identity Management (e.g. KeyCloak)

• Collecting user data

• Send token generation and email confirmation of registration

• Validate registration token and continue registration

• Activate user from Admin

1.3 Reset password

• Forgot password with email/username input

• Generate token and send it to known email

• Check token

• assign a new password

1.4. change user data / manage profile

• edit own user data

• Email changes with verification of the address via token

1.5. log out

• End session

• Delete cookies

• Forwarding to the home page/homepage

1.6. delete account

• security query

• make remaining data anonymous for soft delete

1.7. permissions

1.7.1. admin

1.7.2. users

1.8 Managing Users

1.8.1. user list

1.8.2. User details

• List user details

• Display log data of the user

  • Login when from where

  • Include Matamo ?

1.8.3. Edit user

• Edit user data

• Email to user about profile changes (Abuse)

1.9 Implementation of OAuth 2.0

1.9.1. Managing applications

Attributes of an application:

• ID

• Name

• Available on platforms

  • mobile

  • tablet

  • desktop

  • app

• Access to Scopes

  • name

  • email

  • avatar

  • openid

• Redirect URL

• Icon for applications

1.9.1.1. Create application

1.9.1.2. Edit application

1.9.1.3. Remove Application

1.9.1.4. Generate credentials

1.9.1.5. Generate pair of keys

1.9.2 Authorisation of applications

1.9.2.1. Authorising the application by user

1.9.2.2. Confirm Scopes on authorisation

1.9.2.3 Revoking the authorisation

1.9.3 Authorisation possibilities

1.9.3.1. Creating an authorisation endpoint

1.9.3.2 Authorisation by Authorisation Code

1.9.3.3 Authorisation by implicit procedure

1.9.3.4. Authorisation by Client Credentials

1.9.3.5. Authorisation by Resource Owner Password Credentials

1.9.4. token handling

1.9.4.1 Generating JWT Access Token

1.9.4.2. Validation JWT Access Token

1.9.4.3 Generation Refresh Token

1.9.4.4. generation of JWT Access Token by Refresh Token

1.9.4.5. Endpoint for validation of the JWT Access Token

1.9.4.6. End point for issuing an Access Token by a Refresh Token