|
| 1 | +# Implementation of a Accounts API for the SecureTokenService |
| 2 | + |
| 3 | +## Decision |
| 4 | + |
| 5 | +An Accounts API for the SecureTokenService (STS) will be implemented in a separate module to manage STS accounts. |
| 6 | +In addition, the current class `StsClient` will be renamed to `StsAccount`, and `StsClientStore` to `StsAccountStore` to |
| 7 | +avoid confusion. |
| 8 | + |
| 9 | +## Rationale |
| 10 | + |
| 11 | +The STS acts as authorization backend for a CredentialService. In EDC, the STS implementation is designed to be deployed |
| 12 | +alongside the IdentityHub and acts as Identity Provider (IdP) and for its Presentation API. Although there is |
| 13 | +an [automatic way](https://github.com/eclipse-edc/IdentityHub/pull/458) to |
| 14 | +synchronize a IdentityHub `ParticipantContext` and an STS account, there still should be a way to administer (create, |
| 15 | +update, read and delete) STS accounts at runtime. |
| 16 | + |
| 17 | +In addition, in cases where STS is deployed as standalone component, the IdentityHub may synchronize the |
| 18 | +`ParticipantContext` and the STS account using this Accounts API. |
| 19 | + |
| 20 | +The reason for renaming the `StsClient` is that the term "client" is quite overloaded and could mislead developers into |
| 21 | +thinking that it is a "client to communicate with the STS token API". |
| 22 | + |
| 23 | +## Approach |
| 24 | + |
| 25 | +Implement a REST API that has the following endpoints: |
| 26 | + |
| 27 | +### `POST /v1/accounts` |
| 28 | + |
| 29 | +Create a new `StsAccount`. Key pairs must be managed _out-of-band_. If no `client_secret` is provided, one will be |
| 30 | +generated. This endpoint returns the _entire_ `StsAccount`, including the `client_secret`. Note that there is **no way** |
| 31 | +to obtain the `client_secret` again at a later point in time! |
| 32 | + |
| 33 | +### `PUT /v1/accounts/` |
| 34 | + |
| 35 | +Update an existing `StsAccount`. Note that there is a dedicated endpoint for rotating the `client_secret`. |
| 36 | + |
| 37 | +### `GET /v1/accounts/{id}` |
| 38 | + |
| 39 | +Fetch a particular `StsAccount` by ID. The ID is the entity ID (database ID) of the `StsAccount`. The `client_secret` is |
| 40 | +**not** returned, only its alias. |
| 41 | + |
| 42 | +### `POST /v1/accounts/query` |
| 43 | + |
| 44 | +Query STS accounts, taking a `QuerySpec` in the request body. The `client_secret` is **not** returned, only its alias. |
| 45 | + |
| 46 | +### `PUT /v1/accounts/{id}/secret` |
| 47 | + |
| 48 | +Updates the `client_secret`. The new secret alias - and optionally the new secret - are provided in the request body. If |
| 49 | +no secret is provided, one is generated at random. The old client secret is deleted from the Vault and replaced with the |
| 50 | +new client secret. If the process fails, manual intervention may be necessary, because Vaults are not transactional |
| 51 | +resources. This endpoint returns the current `secret_alias` to make that manual intervention easier. |
| 52 | + |
| 53 | +### `DELETE /v1/accounts/{id}` |
| 54 | + |
| 55 | +Deletes a particular account, removes the `client_secret` from the Vault. Note that this does **not** delete the key |
| 56 | +pair. |
| 57 | + |
| 58 | +> The `StsClientServiceImpl` will be extended to accommodate this functionality. |
| 59 | +
|
| 60 | +### Handling key-pairs |
| 61 | + |
| 62 | +The STS is designed to be used alongside IdentityHub, either as embedded component, or as standalone runtime. In |
| 63 | +either case it should be the IdentityHub that exposes the control surface for handling key-pairs through its Identity |
| 64 | +API and its internal automatic synchronization mechanism (`StsAccountProvisioner`). For that reason, the STS Accounts |
| 65 | +API does not provide any endpoints to handle key pairs. |
| 66 | + |
| 67 | +_Note that if STS is deployed standalone, IdentityHub could use this Accounts API to handle synchronization via REST._ |
| 68 | + |
| 69 | +### Web context |
| 70 | + |
| 71 | +A new web context `"accounts"` will be introduced for the STS Accounts API to provide it its own security realm and |
| 72 | +ingress configuration. This is particularly important when STS runs as embedded component in IdentityHub or the |
| 73 | +connector controlplane to avoid clashes and provide better separation. |
| 74 | + |
| 75 | +### Security |
| 76 | + |
| 77 | +Out-of-the-box, the STS Accounts API utilizes token-based authentication. This can be extended and |
| 78 | +overridden in downstream applications, for example using the delegated authentication feature. |
| 79 | + |
| 80 | +> The STS Accounts API should **never** be exposed to the internet without additional infrastructure! |
0 commit comments