Role Based Authentication in Edgex

[BabutaAniket]

Hello team,

Can we enable Role Based Authentication in EdgeX (For e.g. Creating different roles like admin, member, user for different users).
Does EdgeX has its own microservice for Role Based Authentication or does it support any third-party software like Keycloak?

Thanks and Regards,
Aniket

[jiekechoo]

@BabutaAniket
I think, EdgeX Foundry is an edge computing framework, not a full stack system or application.

You could apply Keycloak in your enterprise application not in EdgeX.

Jieke
YIQISOFT

[bnevis-i]

Can we enable Role Based Authentication in EdgeX (For e.g. Creating different roles like admin, member, user for different users).

No. The open source version of EdgeX allows for all-or-nothing authentication. You either have a valid token to make an API call or you don't. There is no current proposed fine-grained permission model or authorization model for EdgeX. Note that EdgeX has a formal change request / requirements process, at https://docs.edgexfoundry.org/3.1/design/Process/, by which you can state your case for RBAC and optionally propose architectural changes to enable it.

Does EdgeX has its own microservice for Role Based Authentication or does it support any third-party software like Keycloak?

In EdgeX 3.0, EdgeX microservices validate a JWT token before allowing access, however, it does that by validating them with Vault, which is the built-in token issuer. I feel confident that the community would take a contribution to extend EdgeX configuration to point at a configurable external OIDC-compliant endpoint (such as Keycloak) that serves either a JWKS URI or token introspection endpoint for the purpose of token validation.