AAA Server

Overview

The AAA Server is a core component of the IUDX-Novo Central Directory Services. It implements the Identity (I), Authorization (A), and Access Management (A/M) interfaces that together form the control plane of the platform.

The AAA Server provides foundational capabilities for:

  • Identity management

  • Authentication and authorization

  • Access control enforcement

  • Audit logging and compliance

These capabilities ensure that data access across the platform is secure, policy-driven, and auditable.

Identity and Authentication

The Data Exchange (DX) subsystem delivers identity services using Keycloak as the Identity Service Provider (IdP).

Keycloak is a widely adopted, open-source Identity and Access Management (IAM) solution maintained by Red Hat and provides all essential features expected from a modern identity system, including:

  • User and client management

  • Role and group management

  • Token issuance and validation

  • Federation with external identity providers

Authentication Framework

DX authentication is based on the OpenID Connect (OIDC) framework.

  • All DX services that require authentication rely on the capabilities provided by the underlying Keycloak authentication servers.

  • OIDC enables secure, standards-compliant authentication for both users and machine-to-machine interactions.

Authorization and Access Control

DX Authorization services provide fine-grained authorization and access control mechanisms for data resources.

Token-Based Authorization

  • Access to private and protected non-personal datasets is enforced using JSON Web Tokens (JWTs).

  • Authorization tokens encapsulate access permissions and are validated by downstream services before granting access to resources.

Authorization APIs

The AAA Server exposes APIs for token lifecycle management, including:

  • Requesting access tokens

  • Revoking issued tokens

  • Auditing token usage and access events

These APIs enable secure and traceable access to data resources across the platform.

Policy and Consent Management

In addition to token management, the DX Authorization APIs support policy authoring and consent management capabilities.

Data Providers can use these APIs to:

  • Create access-control policies

  • Update existing policies

  • List and manage policies governing their resources

These policies define who can access specific datasets, under what conditions, and for what purposes, ensuring compliance with governance and consent requirements.

PreviousarchitectureNextAPI Security

Last updated