Genero Identity Provider (GIP)
Genero provides its own Identity Provider for securing applications and RESTful web services.
Why would I use the Genero Identity Provider?
With the Genero Identity Provider, you can:
- Secure web applications and web services.
- Manage users and groups.
If you plan to use GIP in an internet-facing way, as opposed to only through your internal network, you need to run penetration tests before going public.
How is security managed?
Security is managed by scopes. You can think of a scope as being a permission. There are two categories of scopes:
- An authorization scope allows access to an application.
- A scope allows access to a web service. The term scope comes from the web service world, where a function uses a scope to secure itself against unauthorized users.
Securing a web service
The Genero Identity Provider can secure RESTful web services. To understand how to secure a web service, you must understand the architecture of a web service, as it relates to permissioning.
Securing an application
- If a scope is required, then a user must have the scope to initially access the application.
- If a scope is optional, the user can initially access the application, even if the user does not have the optional scope. When a user tries to use a protected resource or operation, and that user does not have the necessary scope, the service sends back an error. It is up to the application to handle the error.
Managing user access
- If the user needs to access an application, then they need to have the authorization scope necessary to access the application.
- If an application then interacts with a web service, the user must have the scopes required by that service in order to use the protected resources and operations in that web service. If a scope has been marked as required, the user must have the scope to initially access the application.
Scopes and authorization scopes are often provided via groups. A group is a collection of authorization scopes and scopes. When a user is made a member of a group, that user inherits all authorization scopes and scopes assigned to that group. In addition to inheriting scopes via group membership, users can be granted scopes directly.
Genero Identity Provider server URLs
The Genero Identity Provider is a web service that, once set up, is available when the Genero Application Server (GAS) is started. The DeployGar and GetToken tools used for application deployment via scripts may need to access Genero Identity Provider services on a remote server.
services
group:
https://host:port[/gas]/ws/r/services/GeneroIdentityProvider
https://host:port[/gas]/ws/r/services/GeneroIdentityProvider/.well-known/openid-configuration