Authentication / Authorization
IRS API
The IRS API is secured using API Keys (tokens that a client provides when invoking API calls). IRS identifies API clients based on the provided token inside 'X-API-KEY' request header, and then checks the token with configuration. API Keys can be configured with helm configuration entries - check Administration Guide to know how to do this. Every request to the IRS API requires a valid 'X-API-KEY' header to be successfully authenticated.
Currently, IRS API handles two roles: 'admin_irs' and 'view_irs'. A valid token with the 'admin_irs' role can access any endpoint exposed by the IRS API, including Policies management API. A valid token with the 'view_irs' role does not have access to policies endpoints. This behavior is shown in the table below.
Rights and Roles Matrix of IRS
Category |
Action |
Endpoint |
view_irs |
admin_irs |
Policy Store |
Add policy |
POST /irs/policies |
x |
|
Get policies |
GET /irs/policies |
x |
||
Find policies (paged) |
GET /irs/policies/paged |
x |
||
Update policy |
PUT /irs/policies/{policyId} |
x |
||
Delete policy |
DELETE /irs/policies/{policyId} |
x |
||
Aspect models |
Get aspect models |
GET /irs/aspectmodels |
x |
x |
Job processing |
Register job |
POST /irs/jobs |
x |
x |
Get jobs |
GET /irs/jobs |
x |
x |
|
Get job |
GET /irs/jobs/{jobId} |
x |
x |
|
Cancel job |
PUT /irs/jobs/{jobId} |
x |
x |
|
Batch processing |
Register order |
POST /irs/orders |
x |
x |
Get order |
GET /irs/orders/{orderId} |
x |
x |
|
Cancel order |
PUT /irs/orders/{orderId} |
x |
x |
|
Get batch |
GET /irs/orders/{orderId}/batches/{batchId} |
x |
x |
|
Environmental- and Social Standards |
Register investigation job |
POST /ess/bpn/investigations |
x |
x |
Get investigation job |
GET /ess/bpn/investigations{id} |
x |
x |
|
Accept notifications |
POST /ess/notification/receive |
x |
x |
Legend: x = full access to all resources
IRS as DTR client
The IRS acts as a client for the Digital Twin Registry (DTR), which is secured using OAuth2.0 / Open ID Connect. The IRS uses client credentials to authenticate requests to the DTR. Due to this, the IRS account needs to have access to every item in the DTR, unrelated to the permissions of the account calling the IRS API.
IRS as decentralized DTR client
In a decentralized network, IRS uses the EDC client to access the provider DTR. This way, no authentication, other than the EDC contract negotiation, is needed to access the DTR.
IRS as EDC client
The IRS accesses the Catena-X network via the EDC consumer connector. This component requires authentication via a Verifiable Credential (VC), which is provided to the EDC via the Managed Identity Wallet.
The VC identifies and authenticates the EDC and is used to acquire access permissions for the data transferred via EDC.
Credentials
Credentials must never be stored in Git!