Feature: service account auth (#366)

Author: bla-ce

.env.example

@@ -21,5 +21,12 @@ AUTH_KEYCLOAK_CLIENT_ID=ri-app
 AUTH_KEYCLOAK_CLIENT_SECRET=changeme
 AUTH_KEYCLOAK_ISSUER=http://localhost:8080/realms/untp-reference-implementation # TODO: Construct within Next.js
 
+# Service Account Configuration (for machine-to-machine API access)
+# The service account client ID and secret are used to obtain access tokens via client credentials grant
+AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID=ri-service-account
+AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET=service-account-secret
+# Optional: Restrict accepted tokens to a specific audience (leave empty to skip audience validation)
+AUTH_KEYCLOAK_SERVICE_ACCOUNT_AUDIENCE=
+
 DEFAULT_HUMAN_VERIFICATION_URL=http://localhost:3003
 DEFAULT_MACHINE_VERIFICATION_URL=http://localhost:3332/agent/routeVerificationCredential

docker-compose.yml

@@ -31,6 +31,8 @@ services:
       RI_APP_URL: ${RI_APP_URL}
       AUTH_KEYCLOAK_CLIENT_ID: ${AUTH_KEYCLOAK_CLIENT_ID}
       AUTH_KEYCLOAK_CLIENT_SECRET: ${AUTH_KEYCLOAK_CLIENT_SECRET}
+      AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID: ${AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID}
+      AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET: ${AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET}
     volumes:
       - ./keycloak-realms:/keycloak-realms
       - ./initialisation/config.json:/app/config.json:ro

documentation/docs/mock-apps/service-account-authentication.md

@@ -0,0 +1,114 @@
+---
+sidebar_position: 12
+title: Service Account Authentication
+---
+
+import Disclaimer from '../_disclaimer.mdx';
+
+<Disclaimer />
+
+## Overview
+
+The Reference Implementation APIs support two authentication methods:
+
+1. **Session-based authentication** - For interactive users via the web UI (uses OAuth2 authorization code flow)
+2. **Service account authentication** - For automated integrations and machine-to-machine (M2M) access
+
+This guide covers how to configure and use service account authentication for programmatic API access.
+
+## Prerequisites
+
+- Keycloak identity provider running and configured
+- A service account client configured in Keycloak (see [Keycloak Configuration](#keycloak-configuration))
+
+## Keycloak Configuration
+
+The default Keycloak realm includes a pre-configured service account client:
+
+| Property | Value |
+|----------|-------|
+| Client ID | `ri-service-account` |
+| Client Secret | `service-account-secret` |
+| Grant Type | Client Credentials |
+
+:::warning Production Usage
+For production deployments, you should:
+1. Change the default client secret to a secure, randomly generated value
+2. Configure appropriate client scopes and role mappings
+:::
+
+### Creating a Custom Service Account Client
+
+To create a new service account client in Keycloak:
+
+1. Navigate to your Keycloak Admin Console
+2. Select your realm (e.g., `untp-reference-implementation`)
+3. Go to **Clients** → **Create client**
+4. Configure the client:
+   - **Client ID**: Your desired client ID (e.g., `my-integration`)
+   - **Client authentication**: ON
+   - **Authorization**: OFF
+   - **Authentication flow**: Check only "Service accounts roles"
+5. Save the client and note the generated client secret from the **Credentials** tab
+
+## Obtaining an Access Token
+
+Use the OAuth2 client credentials grant to obtain an access token from Keycloak.
+
+### Using cURL
+
+```bash
+# Set your configuration
+KEYCLOAK_URL="http://localhost:8080"
+REALM="untp-reference-implementation"
+CLIENT_ID="ri-service-account"
+CLIENT_SECRET="service-account-secret"
+
+# Request an access token
+curl -X POST "${KEYCLOAK_URL}/realms/${REALM}/protocol/openid-connect/token" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "grant_type=client_credentials" \
+  -d "client_id=${CLIENT_ID}" \
+  -d "client_secret=${CLIENT_SECRET}"
+```
+
+### Response
+
+```json
+{
+  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
+  "expires_in": 300,
+  "refresh_expires_in": 0,
+  "token_type": "Bearer",
+  "not-before-policy": 0,
+  "scope": "profile email roles"
+}
+```
+
+## Calling the API with a Bearer Token
+
+Once you have an access token, include it in the `Authorization` header of your API requests.
+
+### Using cURL
+
+```bash
+# Using the token obtained above
+ACCESS_TOKEN="eyJhbGciOiJSUzI1NiIsInR5cCI..."
+
+# Call the credentials API
+curl -X POST "http://localhost:3003/api/v1/credentials" \
+  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d '{}'
+```
+
+## Environment Variables
+
+Configure the following environment variables for service account support:
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `AUTH_KEYCLOAK_ISSUER` | Keycloak realm issuer URL | Required |
+| `AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID` | Service account client ID | `ri-service-account` |
+| `AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET` | Service account client secret | `service-account-secret` |
+| `AUTH_KEYCLOAK_SERVICE_ACCOUNT_AUDIENCE` | Expected token audience (optional) | - |

e2e/cypress/fixtures/keycloak-realm-e2e.json

@@ -61,6 +61,23 @@
       "authorizationServicesEnabled": false,
       "consentRequired": false,
       "defaultClientScopes": ["profile", "email", "roles"]
+    },
+    {
+      "clientId": "ri-service-account-e2e",
+      "name": "E2E Service Account",
+      "description": "Service account client for E2E API testing",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "publicClient": false,
+      "secret": "e2e-service-account-secret",
+      "bearerOnly": false,
+      "standardFlowEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": true,
+      "authorizationServicesEnabled": false,
+      "consentRequired": false,
+      "defaultClientScopes": ["profile", "email", "roles"]
     }
   ]
 }

initialisation/provision-env.ts

@@ -102,11 +102,28 @@ function generateKeycloakRealm(config: ProvisionConfig): KeycloakRealmRepresenta
         authorizationServicesEnabled: false,
         consentRequired: false,
         defaultClientScopes: ["profile", "email", "roles"],
+      },
+      {
+        clientId: process.env.AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID!,
+        enabled: true,
+        protocol: "openid-connect" as const,
+        publicClient: false,
+        secret: process.env.AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET!,
+        redirectUris: [],
+        attributes: {},
+        webOrigins: [],
+        standardFlowEnabled: false,
+        directAccessGrantsEnabled: false,
+        serviceAccountsEnabled: true,
+        authorizationServicesEnabled: false,
+        consentRequired: false,
+        defaultClientScopes: ["profile", "email", "roles"],
       }
     ]
   }
 
   console.log(`  ✓ Client: ${process.env.AUTH_KEYCLOAK_CLIENT_ID}`)
+  console.log(`  ✓ Client: ${process.env.AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID}`)
 
   return realmConfig
 }
@@ -126,7 +143,13 @@ async function main() {
   }
 
   // Validate required environment variables
-  const requiredEnvVars = ['AUTH_KEYCLOAK_CLIENT_ID', 'AUTH_KEYCLOAK_CLIENT_SECRET', 'RI_APP_URL']
+  const requiredEnvVars = [
+    'AUTH_KEYCLOAK_CLIENT_ID', 
+    'AUTH_KEYCLOAK_CLIENT_SECRET', 
+    'RI_APP_URL',
+    'AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID',
+    'AUTH_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET'
+  ]
   const missingEnvVars = requiredEnvVars.filter(varName => !process.env[varName])
 
   if (missingEnvVars.length > 0) {

packages/mock-app/src/lib/auth/token-validator.ts

@@ -0,0 +1,125 @@
+/**
+ * Service Account Token Validator
+ *
+ * Validates Bearer tokens issued by the configured IdP (Keycloak).
+ * Used for machine-to-machine authentication with the API.
+ *
+ * Validates:
+ * - Token signature (using IdP's JWKS)
+ * - Token issuer (must match configured issuer)
+ * - Token audience (must include expected audience)
+ * - Token expiry (must not be expired)
+ */
+
+import * as jose from "jose";
+
+export interface TokenValidationResult {
+  valid: boolean;
+  payload?: jose.JWTPayload;
+  error?: string;
+}
+
+/**
+ * Get JWKS remote key set
+ */
+function getJWKS(issuer: string): jose.JWTVerifyGetKey {
+  const jwksUri = `${issuer}/protocol/openid-connect/certs`;
+
+  return jose.createRemoteJWKSet(new URL(jwksUri));
+}
+
+/**
+ * Validates a Bearer token against the configured IdP.
+ *
+ * @param token - The JWT token to validate (without "Bearer " prefix)
+ * @param options - Validation options
+ * @returns Validation result with payload if successful
+ */
+export async function validateServiceAccountToken(
+  token: string,
+  options?: {
+    issuer?: string;
+    audience?: string;
+  }
+): Promise<TokenValidationResult> {
+  const issuer = options?.issuer ?? process.env.AUTH_KEYCLOAK_ISSUER;
+  const audience = options?.audience ?? process.env.AUTH_KEYCLOAK_SERVICE_ACCOUNT_AUDIENCE;
+
+  if (!issuer) {
+    return {
+      valid: false,
+      error: "IdP issuer not configured",
+    };
+  }
+
+  try {
+    const jwks = getJWKS(issuer);
+
+    const verifyOptions: jose.JWTVerifyOptions = {
+      issuer,
+    };
+
+    // Only validate audience if configured
+    if (audience) {
+      verifyOptions.audience = audience;
+    }
+
+    const { payload } = await jose.jwtVerify(token, jwks, verifyOptions);
+
+    return {
+      valid: true,
+      payload,
+    };
+  } catch (error) {
+    if (error instanceof jose.errors.JOSEError) {
+      switch (error.code) {
+        case "ERR_JWT_EXPIRED":
+          return {
+            valid: false,
+            error: "Token has expired",
+          };
+        case "ERR_JWT_CLAIM_VALIDATION_FAILED":
+          return {
+            valid: false,
+            error: `Token claim validation failed: ${error.message}`,
+          };
+        case "ERR_JWS_SIGNATURE_VERIFICATION_FAILED":
+          return {
+            valid: false,
+            error: "Token signature verification failed",
+          };
+        case "ERR_JWKS_NO_MATCHING_KEY":
+          return {
+            valid: false,
+            error: "No matching key found in JWKS",
+          };
+      }
+    }
+
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Token validation failed",
+    };
+  }
+}
+
+/**
+ * Extracts the Bearer token from an Authorization header.
+ *
+ * @param authHeader - The Authorization header value
+ * @returns The token without the "Bearer " prefix, or null if invalid
+ */
+export function extractBearerToken(
+  authHeader: string | null
+): string | null {
+  if (!authHeader) {
+    return null;
+  }
+
+  const parts = authHeader.split(" ");
+  if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
+    return null;
+  }
+
+  return parts[1];
+}