Sovereign Cloud Stack at Gaia-X Hackathon #5

Eduard Itrich, Felix Kronlage-Dammers September 28, 2022

As previously, our community engaged in the Gaia-x Hackathon #5 on September 26 – 27, 2022 with an own proposal. The goal of our track was to realize user federation at the infrastructure level with Keycloak via OpenID Connect.

Following the organizers’ recommendation, we joined forces with the team from walt.id, which in the end proved to be a great opportunity and resulted in an interesting use case. After aligning our proposals, we concluded to work together on realizing an SSI-based authentication with Gaia-X compliant Legal Person credentials for the IaaS layer of our reference implementation.

Day 1

The first day of our joint hacking session was organized by the walt.id team which gave us a very good insight into SSI and their open-source technology, i.e. the walt.id SSI Kit, the walt.id Web Wallet and the walt.id IdP Kit. The following figure gives a good overview of how these components act together.

Identity federation via an external identity and access manager. All rights reserved by walt.id GmbH

We created a self-signed Legal Person Credential via the walt.id SSI Kit and subsequently issued a Participant Credential through the Gaia-X Compliance API.

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1",
    "https://w3id.org/security/suites/jws-2020/v1"
  ],
  "credentialSchema": {
    "id": "https://raw.githubusercontent.com/walt-id/waltid-ssikit-vclib/master/src/test/resources/schemas/ParticipantCredential.json",
    "type": "JsonSchemaValidator2018"
  },
  "credentialStatus": {
    "id": "https://gaiax.europa.eu/status/participant-credential#392ac7f6-399a-437b-a268-4691ead8f176",
    "type": "CredentialStatusList2020"
  },
  "credentialSubject": {
    "ethereumAddress": "0x4C84a36fCDb7Bc750294A7f3B5ad5CA8F74C4A52",
    "hasCountry": "GER",
    "hasJurisdiction": "GER",
    "hasLegallyBindingName": "deltaDAO AG",
    "hasRegistrationNumber": "DEK1101R.HRB170364",
    "hash": "9ecf754ffdad0c6de238f60728a90511780b2f7dbe2f0ea015115515f3f389cd",
    "id": "did:web:wallet.walt-test.cloud:api:did-registry:2ede544a02964e2e83a0cbe0a0683bf6",
    "leiCode": "391200FJBNU0YW987L26",
    "parentOrganisation": "",
    "subOrganisation": ""
  },
  "id": "urn:uuid:8d959928-d727-46b7-98af-b89c09b4cfb1",
  "issued": "2022-09-26T10:15:50Z",
  "issuer": "did:web:wallet.walt-test.cloud:api:did-registry:2ede544a02964e2e83a0cbe0a0683bf6",
  "proof": {
    "created": "2022-09-26T10:15:50Z",
    "creator": "did:web:wallet.walt-test.cloud:api:did-registry:2ede544a02964e2e83a0cbe0a0683bf6",
    "jws": "eyJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJhbGciOiJFZERTQSJ9..hMZNpUfax_Wu4PavK3kfYUI00JlqhOdZoWxuzO3dyWABeEFqdvLTkhJEq9nDskiYnYTIa6aWJID9q6yOGeVhDQ",
    "proofPurpose": "assertionMethod",
    "type": "JsonWebSignature2020",
    "verificationMethod": "did:web:wallet.walt-test.cloud:api:did-registry:2ede544a02964e2e83a0cbe0a0683bf6"
  },
  "validFrom": "2022-09-26T10:15:50Z",
  "issuanceDate": "2022-09-26T10:15:50Z",
  "type": [
    "VerifiableCredential",
    "ParticipantCredential"
  ]
}

This VC will be used later to authenticate against our SCS testbed that we’ve prepared the week before.

Day 2

The second day started with a very good discussion about user federation between multiple SCS-compliant cloud offerings. We identified three possible scenarios for Jane Doe:

CSP Alpha (with OpenStack + Keycloak Alpha)
CSP Beta (with OpenStack + Keycloak Beta)
Company ACME Org. with user Jane Doe
- without any IAM (but with an SSI kept in a wallet)
- on own Keycloak of ACME Org.
- on third-party Keycloak SaaS provider

This resulted in the following whiteboard that we sketched during brainstorming.

Brainstorming on the multiple scenarios of user federation with Keycloak

The rest of the day we spent on integrating the walt.id IdP into our Keycloak. Unfortunately we ran into an issue in Keycloak 19.0.1 which prevented us from setting the OIDC Identity Provider Client Authentication to Basic Authentication via the UI.

We decided to change the value clientAuthMethod via kcadm.sh and used the following trick

/opt/jboss/keycloak/bin/kcadm.sh get realms/osism > osism.json
sed -e 's/clientAuth_basic/client_secret_basic/' osism.json > osism2.json
/opt/jboss/keycloak/bin/kcadm.sh create partialImport -r osism -s ifResourceExists=OVERWRITE -o -f osism2.json

Teamworks to succeed

One of the great effects of such an event is that various people collaboratively work together on solving issues. In a joint tmux-session we worked together and each of us was able to bring something to the table to help succeed. While it might initially feel weird to “poke around together at the problem” in a shared session, in the end it will lead to a good outcome as well as a learning experience for everyone.

Finally, we were able to use the Gaia-X compliant Participant Credential we’ve created earlier to authenticate against our Keycloak instance. 🎉

Open questions

We identified several challenges that are still subject to further discussion.

Jane Doe needs so sign in to have an entity on Keycloak Alpha and Keycloak Beta. How will permissions and privileges then be mapped by Keycloak Alpha and Beta without knowing anything about Jane Doe (besides her company)?
CSP have to setup own Keycloaks that have to accept everything from the third party Keycloak provider. Will this find acceptance?
We need to tackle how permissions for Jane Doe are maintained – especially across multiple CSP.

IAM Workshop for R4

Since we’re now starting into the R4 cycle and IAM and federation will be one of the items that will receive further shaping in R4 we will kick this off with a remote workshop on the overall IAM and federation subject on the 11th of october.

Thank you!

The two days of the Gaia-X Hackathon #5 were yet again very interesting and we had a lot of fun spending time together and hacking together. We especially thank the Gaia-X OSS Community for organizing this great opportunity and Phillip, Severin and Kai from walt.id for cooperating with us.

Many thanks also to our community members who participated in our session and contributed their knowledge. You are awesome! 🚀

Join us

Interested in continuing working on user federation? We still have some open challenges to tackle and we invite you to join our open community. Check out our public calendar and participate in our various team meetings.

About the authors

Eduard Itrich

After graduating from university, Eduard was part of a software development team and responsible for the release management of a Linux enterprise distribution. Following up his two-year parental leave, during which he orchestrated his twin daughters rather than continuous deployment pipelines, he became the head of digitalization and IT of the medium-sized town Bühl in southwestern Germany. From 2021 until 2023, Eduard empowered the Sovereign Cloud Stack community as Open Source Community Manager and enjoyed learning from a inspiring team and fellows.

Community profile »

Felix Kronlage-Dammers

Product Owner IaaS & OPS Sovereign Cloud Stack @ Open Source Business Alliance - Bundesverband für digitale Souveränität e.V.

Felix has been building (open source) IT Infrastructure since the late 90s - during high school he helped build and run an ISP specialized in providing UUCP over ssh. Between then and now felix has always been active in various open source development communities (from DarwinPorts, OpenDarwin to OpenBSD and nowadays the Sovereign Cloud Stack). His interests range from monitoring and observability over infrastructure-as-code to building and scaling communities and companies. A technician at heart he enjoys enabling others to do awesome stuff. He is part of the extended board of the OSBA and describes himself as an unix/open source nerd. If not working, doing OSS for fun and (non-)profit or spending time with his family, he is usually found on a road bike.

Community profile »