1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
agl-identity-agent
==================
**agl-identity-agent** is an OpenID Connect Identity service/binding
for AGL (Automotive Grade Linux).
Overview
--------
The binding currently reads its configuration from a file.
When an NFC tag is detected, the server is queried to
get the data associated with the key provided (keytoken=...) for
the current vehicle (vin=...). This key is an alfanumeric value
linked to the user.
If this query is successful, the user is considered to be
logged in. An event notifying that a new user logged in, is sent
to the applications that registered an interest (i.e., this is not
a broadcasted event).
The configuration file
----------------------
The configuration file is a JSON file residing in one of the
following places:
- ID/config.json
- /etc/agl/identity-agent-config.json
- CWD/config.json
Where ID is the installation directory and CWD is the
current working directory.
The JSON looks like:
```json
{
"endpoint": "https://agl-graphapi.forgerocklabs.org/getuserprofilefromtoken",
"vin": "4T1BF1FK5GU260429",
"autoadvise": true,
"delay": 5,
"idp": {
"authorization_endpoint": "",
"token_endpoint": "https://agl-am.forgerocklabs.org:8043/openam/oauth2/stateless/access_token"
},
"appli": {
"authorization": "Basic c3RhdGVsZXNzOnBhc3N3b3JkMg==",
"username": "bjensen",
"password": "Passw0rd",
"scope": "openid profile email cn sn givenName ou mail postalAddress departmentNumber physicalDeliveryOfficeName facsimileTelephoneNumber"
}
}
```
Where:
- *delay* is the delay where server request is ignored when a previous request
is started since sthis dealy
- *autoadvise* is a boolean indicating whether the binding must start
the service automatically at initialisation
- *vin* is the vehicule identification number
- *endpoint* is the enpoint to be queried for getting user data
- *idp* describes the OAuth2/OpenId Connect IDP (identity provider)
- *appli* describes the data of the application for the IDP
Not setting *idp* or *appli* implies that no token is queried.
Verbs of API
------------
### agl-identity-agent/subscribe
Subscribes to event notifications.
No argument needed.
### agl-identity-agent/unsubscribe
Unsubscribes from event notifications.
No argument needed.
### agl-identity-agent/fake-login
Test identity agent interface sending login event to interested
parties.
This case allows to isolate the agent from the
agl-service-nfc and oidc interface.
### agl-identity-agent/logout
Logout from the current identity.
No argument needed.
### agl-identity-agent/fake-auth
Test the identity agent functionality without the need for
agl-service-nfc.
### agl-identity-agent/get
Returns the data for the current identity.
No argument needed.
Events of API
-------------
The binding sends the event *agl-identity-agent/event*.
This event signals logins and logouts. It has 2
fields: *eventName* and *accountId*.
For login events, the *eventName* is the string *login*
and the *accountId* is the string identifying the account.
Example of login event:
```json
{
"eventName": "login",
"accountId": "farfoll"
}
```
For login events, the *eventName* is the string *logout*
and the *accountId* is the string *null*.
Example of logout event:
```json
{
"eventName": "logout",
"accountId": "null"
}
```
OAuth2 & OpenId Connect integration
-----------------------------------
When the fields 'appli' and 'idp' are set, the agent uses the
related data to query an access token for accessing the account
data using the flow _Resource Owner Password Credentials Grant_.
|