add keycloak clients dependency management (allowing integration with…

… admin, auth apis)

demonstrators-line/demonstrator-v0/pom.xml

@@ -2,7 +2,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cybnity</groupId>
 	<artifactId>techstack</artifactId>
-	<version>0.34.0</version>
+	<version>0.35.0</version>
 	<packaging>pom</packaging>
 	<name>CYBNITY Official Standard Techstack</name>
 
@@ -57,6 +57,7 @@
 		<janusgraph.core>[1.1.0,)</janusgraph.core>
 		<janusgraph.driver>[1.1.0,)</janusgraph.driver>
 		<janusgraph.inmemory>[1.1.0,)</janusgraph.inmemory>
+		<keycloak.client>[25.0.4,)</keycloak.client>
 		<junit-jupiter.version>5.9.3</junit-jupiter.version> <!-- 5.7.0 -->
 		<junit-jupiter-platform.version>[1.9.2,)</junit-jupiter-platform.version>
 		<cucumber.version>7.12.1</cucumber.version>
@@ -270,6 +271,20 @@
 				<version>${janusgraph.driver}</version>
 				<scope>test</scope>
 			</dependency>
+			<!-- Keycloak SSO -->
+			<dependency>
+				<!-- Keycloak Admin API client -->
+				<groupId>org.keycloak</groupId>
+				<artifactId>keycloak-admin-client</artifactId>
+				<version>${keycloak.client}</version>
+				<scope>compile</scope>
+			</dependency>
+			<dependency>
+				<!-- Keycloak Auth API client -->
+				<groupId>org.keycloak</groupId>
+				<artifactId>keycloak-authz-client</artifactId>
+				<version>${keycloak.client}</version>
+			</dependency>
 		</dependencies>
 	</dependencyManagement>
 

demonstrators-line/demonstrator-v0/sample-project-pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>org.cybnity</groupId>
 		<artifactId>techstack</artifactId>
-		<version>0.34.0</version>
+		<version>0.35.0</version>
 	</parent>
 
 	<groupId>org.cybnity.techstack.quality</groupId>

demonstrators-line/demonstrator-v0/technologies-stack-analysis.md

@@ -237,7 +237,7 @@ The criteria checked about advantages (ADV) are:
 | Vault |Trusted authority for application and machine identities; secure, store, and access credentials and resources for user identity; Key/Value store for secrets, with flexibility and configurability with topics such as secret engines, authentication methods, and access policies <br>**ADV01:** [Mozilla Public License 2](https://github.com/hashicorp/vault/blob/main/LICENSE)<br>![image](vault-high-level-architecture-overview.png)<br>**ADV02:** [several installations](https://www.vaultproject.io/downloads) for Linux, Windows, macOS; [docker image](https://hub.docker.com/_/vault/); [Kubernetes compatible with Helm example](https://www.vaultproject.io/docs/platform/k8s/helm); [High-Availability](https://www.vaultproject.io/docs/concepts/ha) capabilities; [reference architecture with Consul integration](https://learn.hashicorp.com/tutorials/vault/reference-architecture)<br>**ADV03:** variety of secret and auth backends; dynamic secret generation; auditLog; leasing and renewal; Privilege Access Management (PAM); integrations for Kubernetes, Spring, and officially supported client libraries for Go and Ruby; fetching of secrets via the CLI, REST API, or community-maintained [open source libraries](https://www.vaultproject.io/api/libraries#community); auth method such [App Role](https://www.vaultproject.io/docs/auth/approle) or additional precautions such as [Cubbyhole response wrapping](https://learn.hashicorp.com/tutorials/vault/cubbyhole-response-wrapping); [integration with Consul](https://learn.hashicorp.com/tutorials/vault/ha-with-consul); [Vault Helm Charts](https://github.com/hashicorp/vault-helm) project; Java spring client library for connect to Vault<br>**ADV04:** HashiCorp provides Vault Enterprise, a fully managed version running on HashiCorp Cloud Platform (HCP)|**Advantage:** easy to set up and use; list of integrations, primarily focusing on authentication and secret storage|`COOL`|
 | midPoint Evolveum |Open source ecosystem for identity and access management focused on how the data is processed, auditing, and provide data rectification and erasure options out-of-the-box; identity governance and administration (automated access request, provisioning and deprovisioning, policy and roles management, auditing, access certification); 3rd-parties solutions licenses management; identity data visibility and accountability compliance (gdpr); consent management and identity data; user access self-services (password, access request, profile); [all features](https://docs.evolveum.com/midpoint/features/current/)<br>![image](midpoint-high-level-component-structure.png)<br>**ADV01:** Apache License and European Union Public License<br>**ADV02:** [requirements](https://docs.evolveum.com/midpoint/install/system-requirements/); [Docker Alpine image installation](https://docs.evolveum.com/midpoint/install/docker/); need JRE 11+<br>![image](midpoint-environment-schema-HA.png)<br>**ADV03:** synchronize identities stores across all the inbound and outbound resources; PostgreSQL repository implementation internally; RBAC/ABAC supported; organizational structure, group membership, access control lists (ACLs), privileges managed; web UI for uiam management<br>**ADV04:** professional support; [rich tutorial](https://evolveum.com/get-started/) and documentations by evolveum; LTS program; large identity [connectors](https://docs.evolveum.com/connectors/connectors/); [shared roadmap](https://docs.evolveum.com/midpoint/roadmap/)|**Advantage:** lot of integration with third-party solution around the identity management; very large documentations for IAM management and segregation of duties between the components<br>**Disadvantage:** complementary solution to external directories|`COOL`|
 | [Apache Directory Server](https://directory.apache.org/) |<br>**ADV02:** written in Java<br>**ADV03:** certified as LDAP v3 compliant by the Open Group (ApacheDS), and Eclipse-based directory tools (Apache Directory Studio); supports Kerberos 5 and the Change Password Protocol; [Apache directory studio](https://directory.apache.org/studio/) LDAP browser| |`OK`|
-| [Keycloak](https://www.keycloak.org/) |Access management system; single-Sign On, user accounts and authorizations management; fine-grained support of [abac/rbac/ubac/cbac policies](https://www.keycloak.org/docs/latest/authorization_services/index.html) for authorization services<br>**ADV01:** Apache 2 license<br>**ADV02:** Java 11+ supported; compatible under [Docker](https://www.keycloak.org/server/containers) and Kubernetes; several database supported (e.g postgreSQL, mysql, mariadb); low resources required (512Mo RAM, 1Go disk space)<br>**ADV03:** integration with identity providers (e.g via OpenID Connect, SAML 2.0, Kerberos); user accounts federation (e.g LDAP, Active Directory, RDBMS servers) or stand-alone implementation; admin console (e.g update the profile, change passwords, and setup two-factor authentication); management of authorization policies; OAuth2 supported; administration RESTful api; TLS for end-point exposure; tenant with realm for applications and/or users groups management; clients adapters (e.g javascript, SpringBoot via OpenID); [extensions](https://www.keycloak.org/extensions.html); [theming extension with React](https://www.keycloakify.dev/); [France Connect connector](https://github.com/InseeFr/Keycloak-FranceConnect)<br>**ADV04:** sponsored by Redhat|**Advantage:** Keycloack's token are digitally signed so the app just need to verify the digital signature without contacting the Keycloak server; Identity brokering; efficient support community and active forums; clear documentation|`OK`|
+| [Keycloak](https://www.keycloak.org/) |Access management system; Single-Sign On, user accounts and authorizations management; fine-grained support of [abac/rbac/ubac/cbac policies](https://www.keycloak.org/docs/latest/authorization_services/index.html) for authorization services<br>**ADV01:** Apache 2 license<br>**ADV02:** Java 11+ supported; compatible under [Docker](https://www.keycloak.org/server/containers) and Kubernetes; several database supported (e.g postgreSQL, mysql, mariadb); low resources required (512Mo RAM, 1Go disk space)<br>**ADV03:** integration with identity providers (e.g via OpenID Connect, SAML 2.0, Kerberos); user accounts federation (e.g LDAP, Active Directory, RDBMS servers) or stand-alone implementation; admin console (e.g update the profile, change passwords, and setup two-factor authentication); management of authorization policies; OAuth2 supported; administration RESTful api; TLS for end-point exposure; tenant with realm for applications and/or users groups management; clients adapters (e.g javascript, SpringBoot via OpenID); [extensions](https://www.keycloak.org/extensions.html); [theming extension with React](https://www.keycloakify.dev/); [France Connect connector](https://github.com/InseeFr/Keycloak-FranceConnect)<br>**ADV04:** sponsored by Redhat|**Advantage:** Keycloack's token are digitally signed so the app just need to verify the digital signature without contacting the Keycloak server; Identity brokering; efficient support community and active forums; clear documentation|`OK`|
 | [CAS](https://github.com/apereo/cas) |Single sign-on solution<br>**ADV01:** Apache 2.0 licensed<br>**ADV02:** Docker compatible; based on SpringBoot/Cloud; Java 11+ supported; Apache Tomcat used<br>**ADV03:** Java server component; lot of protocols supported (e.g OAuth2, SAML2, OpenID...); authorization via ABAC; delegated authorization (e.g Facebook, Twitter, OpenID connect...); HA clustered deployments via Hazelcast, Ehcache, JPA, Apache Cassandra, Memcached, Apache Ignite, MongoDb, Redis, DynamoDb, Couchbase and more; application registration backed by JSON, MongoDb, Redis and more; multifactor authentication via Duo Security, YubiKey, RSA, Google Authenticator, U2F, WebAuthn and more; administrative UIs; user interface theme and branding; password management and password policy enforcement; Spring Webflow to do script processing of login and logout protocols<br>**ADV04:** project under control by Apereo with announced [roadmap](https://www.apereo.org/projects/cas)|**Disadvantage:** CAS server's token must be verified by contacting the CAS server (so both user and app need to access the CAS server) but [CAS Service Tickets are signed and can be verified](https://apereo.github.io/cas/development/installation/Configure-ServiceTicket-JWT.html) without contacting the CAS Server|`OK`|
 | [Apache Syncope](https://syncope.apache.org) |Cross-platform solution for managing digital identities, covering identity management process (provisioning, auditing, reporting, administration, policy management, password management, password policy management)<br>**ADV01:** Apache 2.0 license<br>**ADV02:** implemented in JEE technology<br>**ADV03:** REST API; admin UI; end-user UI web app for self-registration, self-service and password reset; JAX-RS 2.0 RESTful interface to consume services; ConnId for communication with Identity Stores compatible (e.g Google apps, OS, Windows AD, databases) connectors (e.g CSV directory, LDAP, database table, SOAP)|**Disadvantage:** good for integration with complementary IAM sub-systems but need more components for quiakc/easy deployment; risk on complexity and low features implemented by default|`KO`|
 | [Gluu](http://gluu.org/) |Identity and access management; Customer Identity and Access, Two-Factor authentication; Identity brokering<br>**ADV01:** Gluu [licensed](https://gluu.org/docs/gluu-server/4.4/#license) (complex about open source components scope)<br>**AD02:** Ubuntu/Debian/centOS/Redhat packages; Kubernetes compatible<br>**ADV03:** OpenID provider (profile, centralized authentication for web/mobile); full FIDO server stack; user managed assess to interact with a person post-authentication (e.g consent); SAML 2.0, OAuth 2.0, SCIM, LDAP, Radius (open source Radius server called Radiator is recommended than very small implementation by default embedded in Gluu) supported; priced cluster manager|**Disadvantage:** doubt on open source licensing with potential risk for CYBNITY customers|`KO`|
@@ -324,7 +324,7 @@ The acceptance level per differentiation criteria is evaluated as:
 | Keycloak |OK| |OK| | | | |
 | PostgreSQL |OK| |OK| | | | |
 | Apache Solr | | | | | | | |
-| JanusGraph | | | | | | | |
+| JanusGraph |OK| |OK| | | | |
 | MongoDB | | | | | | | |
 | Telegraf Agent | | | | | | | |
 | Grafana | | | | | | | |

demonstrators-line/demonstrator-v0/v0-technologies-stack.md

@@ -68,8 +68,8 @@ Should allow definition and test of basic software factory implementation allowi
 None supervision requirements required regarding the step of the CYBNITY Foundation project.
 
 # CURRENT MPP OFFICIAL VERSION
-- Version: 0.34.0
-- Released at: August, 20, 2024
+- Version: 0.35.0
+- Released at: August, 26, 2024
 - Status: `RELEASED`
 - Documentation: [technologies-stack-analysis](technologies-stack-analysis.md)
 - Deliverables:
@@ -80,7 +80,7 @@ None supervision requirements required regarding the step of the CYBNITY Foundat
     <parent>
       <groupId>org.cybnity</groupId>
       <artifactId>techstack</artifactId>
-      <version>0.34.0</version>
+      <version>0.35.0</version>
     </parent>
 
     <repositories>
@@ -175,6 +175,7 @@ Presentation of the technologies and frameworks used for implementation of the C
 |Vert.x Redis Client|Interactions with Redis messaging system(s)|Extension connector with Redis broker(s)|Java, JSON|Vert.x Core|
 |Lettuce Redis Client|Interactions with Redis messaging system(s)|Client library for integration with Redis broker(s)|Java, JSON|JVM|
 |JanusGraph Client|Interactions with JanusGraph repository|Client library for integration with JanusGraph (Gremlin server)|Java|JVM|
+|Keycloak Client|Interactions with Keycloak SSO server|Client libraries (e.g admin, auth apis) for integration with Keycloak server|Java|JVM|
 |Vert.x Kafka Client|Interactions with Kafka messaging system(s)|Client library for integration with Kafka broker(s)|Java, JSON|Vert.x Core|
 |Zookeeper Client|Interactions with Zookeeper directory|Client library for access to resources directory (e.g Kafka, Redis brokers)|Java|JVM|
 |Redis|Interactions between UI layer's service components|Broker of distributed events, persistence of shared data|Java, JSON|JVM|