The User-Management and Authentication is the basis for using the Catalogue REST-API. The Catalogue can be operated in different scenarios.
- As a publicly available Catalogue in conjunction with Self-Sovereign Identity Management.
- By an Ecosystem (Federation) in the context of Gaia-X.
- As a private Catalogue for internal use.
Depending on the operation scenario, the Catalogue may have to provide User Management functionality, or it delegates part of the User Management to the Participants themselves via the Self-Sovereign Identity approaches from the Authentication/Authorization Service.
In any case, the Catalogue provides mechanisms for Authentication. In principle, an anonymous Visitor can use some of the APIs. But some functionality may depend on the roles of the user and/or be rate-limited for the Visitor to avoid overload. Access is controlled throughout the Catalogue via Role-based Access Control.
Authentication refers to the activation of a Session by binding of a User to the Session. Activation is only possible if the Catalogue has sufficient information about the User (specifically the Participant to which the User belongs and the Roles of the User in the context of the Participant).
Every active Session is bound to exactly one User. Sessions cannot switch between Users.
The technical standard for Authentication is OpenID Connect.
Different backend implementations for the User Management can exist in parallel.
- Gaia-X IAM
- Individual User Management operated by the Catalogue operator. For example
- LDAP-based user management
- Keycloak Server
- System for Cross-domain Identity Management (SCIM)