INDIGO IAM Dashboard is the web application of INDIGO IAM developed by INFN.
The dashboard is implemented in TypeScript, using React and Next.js. OpenID Connect/OAuth2 authorization flow is handled by Better Auth.
The dashboard acts as a INDIGO IAM Login Service OpenID Connect/OAuth2 client and thus, a registered client is required to receive an access token.
To register a new client, go to the chosen INDIGO IAM instance, login as admin and create a new client with the configuration described below.
In the client main page, add all needed redirect uris, in the form of
<IAM_URL>/api/oauth2/callback/indigo-iam (without the trailing /).
To enable development of the dashboard on your local machine, the redirect uri must be:
http://localhost:3000/auth/oauth2/callback/indigo-iam
For a production deployment, the redirect uri will be, for example:
https://iam-dev.cloud.cnaf.infn.it/ui/auth/oauth2/callback/indigo-iam
where https://iam-dev.cloud.cnaf.infn.it/ui is the URL where the dashboard is
located (see following sections for changing the basePath parameter).
In the Scopes tab, assure that the following scopes are enabled:
emailopenidprofilescim:readscim:writeiam:admin.readiam:admin.write
In the Grant Types tab, enable authorization_code.
Finally, in the Crypto section, enable PKCE with SHA-256 has algorithm.
A Docker image is automatically built using GitHub Action and available on
Docker Hub for
basePath equal to /ui (see section below).
IAM_DASHBOARD_AUTH_SECRET is a variable to securely protect session cookies
for authentication. You could generate a secret key by running:
openssl rand -base64 32Note this is considered a sensitive credentials do decrypt session cookies and thus the Access Token. Do not share the secret especially the once generated for production deployment.
Create .env file similar to:
IAM_API_URL=https://iam-dev.cloud.cnaf.infn.it
IAM_DASHBOARD_BASE_URL=https://iam-dev.cloud.cnaf.infn.it
IAM_DASHBOARD_BASE_PATH=/ui
IAM_DASHBOARD_OIDC_CLIENT_ID="<your_client_id>"
IAM_DASHBOARD_OIDC_CLIENT_SECRET="<your_client_secret>"
IAM_DASHBOARD_AUTH_SECRET="<authentication_secret>"
IAM_DASHBOARD_OTEL_EXPORTER_OTLP_ENDPOINT="https://your.otel.example/collector"To start the application execute:
docker run -p <some-port>:80 --env-file=prod.env cnafsoftwaredevel/iam-dashboard:latestTo deploy a Next.js application under a different path of a domain you can use
the basePath
configuration option.
The basePath variable is read at build time and thus the dashboard must be
compiled for each different basePath.
It is possible to change the basePath
variable using the --build-arg IAM_DASHBOARD_BASE_PATH=<path> Docker argument.
For example, to deploy your application with the /ui using the sub-path
run:
docker build . -t iam-dashboard --build-arg IAM_DASHBOARD_BASE_PATH=/uiDevelopment can be done locally or using Dev Containers that provide an already prepared environment.
Independently from you preferred development method, local or via Dev Containers,
it is required to register a valid domain in your /etc/hosts file or
equivalent, create a self-signed Certificate Authority and Private Key and
Public Certificate for TLS termination.
The next sections describe how to setup the domain name and register custom
certificates.
In order to use TLS, a domain name must be registered in your local DNS entry.
For Linux and Mac, add iam.test.example to the localhost entry in your
/etc/hosts file pointing to the localhost ip.
It should look like the following:
# /etc/hosts
...
127.0.0.1 localhost iam.test.example
...Before launching the deployment, add iam.test.example es explained in
Hosts file section.
Now, create a self-signed certificate authority and certificate by running:
scripts/trust/setup_trust.sh assets/trustThis will generate the following files in the assets/trust directory:
assets/trust
├── star_test_example.cert.pem
├── star_test_example.key.pem
└── star_test_example_ca.pemThis project provides a ready to use development environment by using Dev Containers. It is has been tested with VS Code and Zed IDEs.
Before opening the project with VS Code or Zed, it is suggested to manually start the main docker compose file the first time with:
docker compose up -dand getting the automatically generated OIDC client credentials by executing:
docker logs iam-client-registrant
Client ID: 1d70f1a4-d38f-44be-811d-98e25d574431
Client Secret: 35971fb2-d6e7-4180-9330-6b3b842f04c4Open the project with VS Code and click "Open in container".
When the environment is ready, create the .env file in the root of the
project with like:
IAM_API_URL=https://iam.test.example
IAM_DASHBOARD_BASE_URL=https://iam.test.example
IAM_DASHBOARD_BASE_PATH=/devcontainer # note the base path
IAM_DASHBOARD_OIDC_CLIENT_ID=1d70f1a4-d38f-44be-811d-98e25d574431
IAM_DASHBOARD_OIDC_CLIENT_SECRET=35971fb2-d6e7-4180-9330-6b3b842f04c4
IAM_DASHBOARD_AUTH_SECRET=mHkwsMan8G6REekPvvzsMFPg594nUfkgmZRBcQV3SzQ=Then install the dependencies with:
npm install # or npm ciStart the application by running:
npm run devSomething similar to the following should be prompted:
iam-dashboard@0.1.0 dev
next dev
▲ Next.js 14.2.2
- Local: http://localhost:3000
- Environments: .env
✓ Starting...
✓ Ready in 9.5sThe old IAM Login Service dashboard is available at https://iam.test.example while the new dashboard is reachable at https://iam.test.example/devcontainer.
When closing the devcontainer, it should call docker compose down to
gracefully close all services. It this does not happen, to shut down all
the services execute:
docker compose down --remove-orphansIf you want also to delete all volumes, run:
docker compose down --remove-orphans --volumesTo launch the development environment, an installation of Node.js is the only mandatory requirement. This project currently relies upon Node 24 LTS.
This project provides a docker-compose.yaml file
to start an instance of INDIGO IAM Login Service, MySQL and NGINX. This
allows the development of the dashboard using an environment mostly similar
to a production environment, with a reverse proxy to properly forward traffic
IAM Login Service and IAM Dashboard upstreams. It also provides TLS termination.
To start the services in background execute:
docker compose up -dCreate a file named .env located to the project root directory and define the
following variables:
IAM_API_URL=https://iam.test.example
IAM_DASHBOARD_BASE_URL=https://iam.test.example
IAM_DASHBOARD_BASE_PATH=/dev # note the base path
IAM_DASHBOARD_OIDC_CLIENT_ID=1d70f1a4-d38f-44be-811d-98e25d574431
IAM_DASHBOARD_OIDC_CLIENT_SECRET=35971fb2-d6e7-4180-9330-6b3b842f04c4
IAM_DASHBOARD_AUTH_SECRET=mHkwsMan8G6REekPvvzsMFPg594nUfkgmZRBcQV3SzQ=First install the required dependencies with:
npm install # or npm ciand then start the Next.js development server running:
npm run devSomething similar to the following should be prompted:
iam-dashboard@0.1.0 dev
next dev
▲ Next.js 14.2.2
- Local: http://localhost:3000
- Environments: .env
✓ Starting...
✓ Ready in 9.5sThe old IAM Login Service dashboard is available at https://iam.test.example while the new dashboard is reachable at https://iam.test.example/dev.
End-to-end (E2E) tests are written using Playwright testing framework.
In order to test every aspect of the frontend, as well as the backend side
and the reverse proxy, the docker compose project compiles the dashboard and
builds an image called iam-dashboard:test, located at https://iam.test.example/ui.
By default, Playwright will run tests against the https://iam.test.example/ui
endpoint, to the the final image that will be built during the CI/CD pipeline.
To run the tests, Playwright browser must be installed first, or on your local machine or inside the Dev Container.
To install the browsers, run:
npx playwright install --with-depsThe CI/CD pipeline performs end-to-end tests each time a new commit is pushed
to the remote origin. To perform the system tests, IAM Dashboard must be
compiled and packaged in a docker image.
The docker-compose file builds an image called
iam-dashboard:test which Playwright run tests against.
To run the test suite, first start the docker compose deployment with the
--build parameter, in order to freshly build the IAM Dashboard:
docker compose up -d --buildNote everything the source code is changed, the iam-dashboard:test image
needs to be rebuilt.
To run the tests with the command line:
export NODE_EXTRA_CA_CERTS="$(pwd)/assets/trust/star_test_example_ca.pem"
npx playwright testor using the Playwright's UI mode:
export NODE_EXTRA_CA_CERTS="$(pwd)/assets/trust/star_test_example_ca.pem"
npx playwright test --uiTo update the image, first shutdown the deployment and restart it with the
--build flag:
docker compose down [-v]
docker compose up -d --buildIt is possible to run tests on the local development mode started by
npm run dev.
Make sure the properly configure the .env as described in the above sections,
using the following variables:
IAM_API_URL=https://iam.test.example
IAM_DASHBOARD_BASE_URL=https://iam.test.example
IAM_DASHBOARD_BASE_PATH=/devStart the application in one shell with:
export NODE_EXTRA_CA_CERTS="$(pwd)/assets/trust/star_test_example_ca.pem"
npm run devand run tests in other shell with:
export NODE_EXTRA_CA_CERTS="$(pwd)/assets/trust/star_test_example_ca.pem"
IAM_DASHBOARD_BASE_PATH=/dev npx playwright test [--ui]To run tests inside the devcontainer, first install Playwright browsers:
npx playwright install --with-depsThe configure the .env file with the following variables:
IAM_API_URL=https://iam.test.example
IAM_DASHBOARD_BASE_URL=https://iam.test.example
IAM_DASHBOARD_BASE_PATH=/devcontainerIn one shell, run:
npm run devwhile in other shell run the tests with:
npx playwright testTo use the Playwright's UI from a Dev Container, execute:
npx playwright test --ui-host 0.0.0.0 --ui-port 8900and go to http://localhost:8900 on your browsers. To open the HTML report instead, go to http://localhost:8901.