The Sidecar is responsible for handling all security related operations of the SUASecLab.
For using the SUASecLab, verifiable claims have to be exchanged between applications. E.g. if a user would like to use a virtual machine, she has to prove that she is allowed to use it. The same applies for the other external services. The Sidecar takes care of this. It is the place, where JWT tokens, which are used for authentication, are generated and validated. Other services can ask the Sidecar to issue or validate a token. Furthermore, it is possible to fetch user information (e.g. if the user is an admin) and to decide whether a user is allowed to perform a specific operation or if a special right can be granted to her (e.g. moderator rights in meeting rooms).
In order to run the Sidecar, a container in which it should be running has to be defined first. You can find a corresponding definition in Dockerfile. The Sidecar can only be used with the FOSS reimplementation of the proprietary WorkAdventure administration services and its dependencies (see here) . Furthermore, several environment variables have to be handed over to use the Sidecar container:
DB_USERthe username of the database user.DB_PASSWORDthe password of the corresponding user.DB_HOSTthe hostname of the database service.DB_NAMEthe name of the database to use.JITSI_ISSthe Jitsi issuer name (usuallyjitsi).SECRET_JITSI_KEYthe secret key for signing the Jitsi tokens.JWT_KEYthe secret key for signing all other tokens (the WorkAdventure user tokens).
The sidecar container has to be started together with the admin services containers. The sidecar URL has to be handed over to the php container using the SIDECAR_URL environment variable. By setting the ENABLE_SUAS_EXTENSIONS environment variable to true, the SUASecLab extensions of the administration services can be enabled. This includes handing out tokens to users for authentication on external services when joining the laboratory.
The API routes of the sidecar are defined following the OpenAPI 3.0 standard in the openapi.yaml file. A human-readable version of its content can be generated by pasting its contents into a Swagger Editor instance (online version).
See License.txt