Authentication / authorization
Trace-X API
The Trace-X API is secured using OAuth2.0 / Open ID Connect. Every request to the Trace-X API requires a valid bearer token. The JWT token should also contain two claims:
-
'bpn' which is equal to the configuration value from
API_ALLOWED_BPN
property -
'resource_access' with the specific key for C-X environments. The list of values will be converted to roles by Trace-X. Currently, Trace-X API handles three roles: 'User' and 'Supervisor' and 'Admin'.
The roles and their functions are documented in the rights and role matrix in the system overview of the administration guide.
Trace-X as EDC client
The Trace-X accesses the Catena-X network via the EDC consumer connector. This component requires authentication via a Verifiable Credential (VC), which is provided to the EDC via the managed identity wallet.
The VC identifies and authenticates the EDC and is used to acquire access permissions for the data transferred via EDC.
Trusted Port for Internal APIs
A second port, called the trusted port, has been introduced which can only be accessed by internal services within the Kubernetes cluster. This measure is implemented to handle APIs that are difficult to secure and involve several systems and processes. The trusted port ensures that only internal, trusted components can access these sensitive APIs, enhancing overall security.
-
Quality notification callback APIs (receive, update) - called by EDC data plane
-
Endpoint Data Reference callback API - called by EDC control plane
Credentials
Credentials must never be stored in GitHub!