Guides

Identity

Suggest Edits

The Identity Plugin is a Kubernetes-based microservice that manages users, credentials, and access control across distributed systems. It provides a centralized authentication and authorization service, offering a standardized API that integrates seamlessly with other services.

Key Features

  • User Management – Create, update, and delete user accounts.
  • Role-Based Access Control (RBAC) – Assign predefined roles with granular permissions.
  • Group Association – Manage user memberships across applications.
  • OAuth2 Authentication – Secure authentication flows using JWT tokens.
  • Performance Optimization – Uses in-memory caching for fast query handling.
  • Observability – Integrated with OpenTelemetry for logging and tracing.

Role Groups

Role groups are defined per application based on available resources. Each user is assigned a permission level:

  • Admin – Full access to all resources and administrative capabilities.
  • Editor – Can modify content and settings for specific resources but lacks full administrative control.
  • Contributor – Can contribute content and perform tasks but has limited access to system settings.
  • Viewer – Read-only access to view content without making changes.

❗️

Built-in role groups

The role groups come predefined, and their permissions can’t be changed.


Allowed Actions

RoleAllowed Methods
AdminFull control over all resources
EditorGET, POST, PATCH, DELETE
ContributorGET, POST, PATCH
ViewerGET only

🚧

Access Per Application

Role groups are set per application (e.g., Midaz, Fee Plugin, CRM Plugin), and permissions are scoped accordingly.

  • For example, a Contributor in Midaz, a Viewer in Fee, and a user with no role in CRM can create and update resources in Midaz, only view data in Fee, and has no access to CRM.

Architecture and Identity Flow

The Identity Plugin follows a clean architecture pattern with the following request flow:

Figure 1. Identity Flow

Figure 1. Identity Flow

Request Flow

  1. HTTP Request Entry
    • API endpoints process incoming requests.
    • Middleware handles CORS, logging, and telemetry.
    • Authorization middleware enforces access policies.
  2. Request Processing
    • Handlers validate input and extract parameters.
    • The service layer executes business logic.
    • The adapter layer translates service calls to the external IAM system.
  3. Authentication Flow
    • Client applications authenticate using OAuth2.
    • JWT tokens are validated with embedded certificates.
    • Permissions are enforced based on role definitions.
  4. Response Flow
    • Data is transformed into API response models.
    • Standardized HTTP responses ensure consistency.
    • Logging and telemetry track the request lifecycle.

External Dependencies

  • Primary Storage – Centralized identity management system.
  • Caching – Optimized with an in-memory data store.
  • Tracing & Monitoring – Integrated with OpenTelemetry.
  • Deployment – Kubernetes for infrastructure management.

API Overview

The Identity Plugin provides centralized identity and access management for distributed applications. APIs support:

  • User account management and authentication
  • Role-based access control and permissions enforcement
  • Group and application identity operations

Access is secured by strict permission controls. For technical details, check the Identity API documentation.


Data Storage and Modeling

The Identity Plugin doesn’t store data on its own—it connects with external systems to handle identity and caching.

Primary Storage

The plugin relies on an external identity management system as its main data store. It manages key entities like users, groups, and applications:

  • User Entity
    • Key properties: ID, first name, last name, username, email, hashed password, and group memberships.
    • Mapping: Directly corresponds to user objects in the identity system.
    • Operations: Supports create, read, update, and delete actions via API.
  • Group Entity
    • Key properties: ID, name, display name, creation date, and associated users.
    • Mapping: Directly corresponds to group objects in the identity system.
    • Operations: Read operations available through API.
  • Application Entity
    • Key properties: ID, name, description, client credentials, and creation date.
    • Mapping: Directly corresponds to application objects in the identity system.
    • Operations: Supports create, read, and delete actions via API.

Secondary Storage

A document-based database is integrated to support additional data persistence needs.

Caching

A caching layer is used to improve performance, managing temporary data efficiently. Connections and cache consumers are handled programmatically within the plugin.


Deployment & Operations

  • Scalability & Reliability – Managed through Kubernetes.
  • Observability – Integrated with OpenTelemetry.
  • Security – Aligned with industry best practices for authentication and authorization.

The Identity Plugin ensures secure and efficient authentication across distributed applications, streamlining identity management with a robust and scalable design.

Updated 8 days ago