This is a productive deployment guide for deploying the Authority Portal from scratch.
Prerequisites
Technical Skills
Ability to deploy, run and expose containered applications to the internet.
Ability to configure ingress routes or a reverse proxy of your choice to merge multiple services under a single domain.
Ability to maintain a Keycloak
Dataspace
Each configured Dataspace Deployment Environment must have a running sovity Keycloak DAPS.
Each configured Dataspace Deployment Environment must have a running Logging House.
To make use of the Data Catalog, each configured Dataspace Deployment Environment must have configured a running Catalog Crawler (based on the sovity EDC Connector).
The respective compatible versions can be found in the CHANGELOG.md.
Third Party
Information about a running instance of the sovity CaaS-Portal ist required.
URL of the CaaS-Portal, referred to as [CAAS_PORTAL_FQDN] in this guide.
URL of the Keycloak for authorizing at the CaaS-Portal, referred to as [CAAS_KC_FQDN] in this guide.
Credentials for the CaaS-Portal, referred to as [CAAS_CLIENT_ID] and [CAAS_CLIENT_SECRET] in this guide.
A running instance of Uptime Kuma is required.
This should track the DAPS and Catalog Crawler status. If the Logging House is used, its status should be tracked as well
The statuses must be available via the API (/metrics endpoint)
The Keycloak needs to get the following env variables it uses in the container:
# Variables to set privacy policy and legal notice URLs on Keycloak pagesKEYCLOAK_PRIVACY_POLICY_URL:https://mobility-dataspace.online/privacy-policy-mds-portalKEYCLOAK_LEGAL_NOTICE_URL:https://mobility-dataspace.eu/legal-notice
You need to have a running Keycloak with the aforementioned compatible version.
The domain under which the Keycloak should be reachable on the internet will be referred to as [KC_FQDN] in this guide and should differ from the [AP_FQDN].
The steps to set up the realm are the following
sovity theme
Copy sovity-theme directory to {keycloakRoot}/themes/ directory
Import realm.json to create the authority-portal realm
Adjust settings for oauth2-proxy client (Clients > oauth2-proxy > Settings)
Root URL: URL of the auth proxy, e.g. https://authority-portal.example.url
Home URL: (Relative) sign in URL of auth proxy, e.g. /oauth2/sign_in
Valid Redirect URIs: (Relative) callback URL of auth proxy, e.g. /oauth2/callback
Valid post logout redirect URIs: /*
Adjust settings for authority-portal-client client (Clients > authority-portal-client > Settings)
Root URL: URL of the authority portal, e.g. https://authority-portal.example.url
Home URL: (Most likely) same as Root URL
Regenerate client secrets for oauth2-proxy and authority-portal-client clients
The Authority Portal requires a client to register new connector certificates. This client must have the following settings:
Section Authentication flow (Tab Settings)
Everything disabled
Service accounts roles enabled
Tab Client scopes
Add client scope roles as a default scope to the client
Service account roles (Tab Service Account Roles)
realm-management > manage-clients enabled
realm-management > create-client enabled
realm-management > view-clients enabled
realm-management > query-clients enabled
Authority Portal Backend
Image: ghcr.io/sovity/authority-portal-backend
Set environment variables according to the following documentation (mandatory, except log level)
# Postgres DB Connectionquarkus.datasource.jdbc.url:"jdbc:postgresql://portal-db/authority_portal"quarkus.datasource.username:"postgres"quarkus.datasource.password:"postgres"# Keycloak Client for User IAM# Base URL of the OIDC server (Keycloak). Must contain the '/realms/{realm}' part of the URLquarkus.oidc.auth-server-url:"https://[KC_FQDN]/realms/[KC_REALM]"# Keycloak Admin Client# Keycloak Admin Client: Server URLquarkus.keycloak.admin-client.server-url:"https://[KC_FQDN]"# Keycloak Admin Client: Realmquarkus.keycloak.admin-client.realm:"[KC_REALM]"# Keycloak Admin Client: Client IDquarkus.keycloak.admin-client.client-id:"authority-portal-client"# Keycloak Admin Client: Client secretquarkus.keycloak.admin-client.client-secret:"[AP_CLIENT_SECRET]"# Keycloak Admin Client: Grant typequarkus.keycloak.admin-client.grant-type:"CLIENT_CREDENTIALS"# Log level for backend logging (ERROR, INFO, DEBUG, etc). Docs: https://quarkus.io/guides/loggingquarkus.log.level:"INFO"# CaaS Portal# CaaS Portal: URLauthority-portal.caas.sovity.url:"https://[CAAS_PORTAL_FQDN]"# CaaS Portal: OAuth2 Auth server URLquarkus.oidc-client.sovity.auth-server-url:"https://[CAAS_KC_FQDN]/realms/[CAAS_REALM]"# CaaS Portal: OAuth2 Client IDquarkus.oidc-client.sovity.client-id:"[CAAS_CLIENT_ID]"# CaaS Portal: OAuth2 Client Secretquarkus.oidc-client.sovity.credentials.secret:"[CAAS_CLIENT_SECRET]"# Amount of free sovity CaaS per participantauthority-portal.caas.sovity.limit-per-organization:"1"# Enables the connection (set to false if you don't have the data to fill out the variables above)quarkus.oidc-client.sovity.client-enabled:true# Must equal the root URL/home URl from the Keycloak configuration - see above)authority-portal.base-url:"https://[AP_FQDN]"# API key to protect config endpoints, like /api/config/log-levelauthority-portal.config.api-key:"[AP_CONFIG_API_KEY]"# Invitation link expiration time in seconds. (Must equal the value in Keycloak configuration)authority-portal.invitation.expiration:"43200"# Uptime Kuma# Uptime Kuma URL (/metrics endpoint must be available)authority-portal.kuma.metrics-url:"https://[UPTIME_KUMA_FQDN]"# Uptime Kuma API keyauthority-portal.kuma.api-key:"[UPTIME_KUMA_API_KEY]"# Environment Configuration# - Each Authority Portal can be configured with multiple environments, e.g. test, staging, prod, etc. # - Following is an example configuration of the "test" environment.# - Please Note, that the environment "test" is mandatory# Environment Configuration: Metadata# Title of the deployment environment configurationauthority-portal.deployment.environments.test.title:"Test"# Order of environments, from 0 (default) to n (least important)authority-portal.deployment.environments.test.position:"0"# Environment Data Catalog Settings# Time after which offline data offers are hidden from the Data Catalogauthority-portal.deployment.environments.test.data-catalog.hide-offline-data-offers-after:"15m"# Default page size for the Data Catalogauthority-portal.deployment.environments.test.data-catalog.catalog-page-page-size:"10"# Kuma name for the catalog crawlerauthority-portal.deployment.environments.test.data-catalog.kuma-name:broker# Environment Connector-Dataspace association: Allows certain connectors to be associated as partnered data spaces# Required: Default Dataspace nameauthority-portal.deployment.environments.test.data-catalog.dataspace-names.default:"MDS"# Optional: Additional connectors to be given a dataspace nameauthority-portal.deployment.environments.test.data-catalog.dataspace-names.connector-ids."MDSL1234XX.C1234XX": "Mobilithek"
# Environment DAPS# Env: DAPS URLauthority-portal.deployment.environments.test.daps.url:"https://[KC_DAPS_FQDN]"# Env: DAPS realm nameauthority-portal.deployment.environments.test.daps.realm-name:"DAPS"# Env: DAPS Admin Client Client IDauthority-portal.deployment.environments.test.daps.client-id:"authority-portal"# Env: DAPS Admin Client Client Secretauthority-portal.deployment.environments.test.daps.client-secret:"[DAPS_CLIENT_SECRET]"# Env: DAPS Kuma nameauthority-portal.deployment.environments.test.daps.kuma-name:"[DAPS_KUMA_NAME]"# Environment Logging House# Env: Logging House URLauthority-portal.deployment.environments.test.logging-house.url:"https://[LOGGING_HOUSE_FQDN]"# Env: Logging House Kuma nameauthority-portal.deployment.environments.test.logging-house.kuma-name:"[LOGGING_HOUSE_KUMA_NAME]"
Optional configuration variables
# Organization ID configuration (example: prefix: BPN & length: 10 would generate Ids in the format BPNL000000000011)# The 'L' stands for 'Legal' and is added automatically after the prefix - the last 2 characters are the checksumauthority-portal.organization.id.prefix:"BPN"authority-portal.organization.id.length:"10"
Adjusting the log level at runtime
The log level can be changed during runtime via a request to the /api/config/log-level endpoint. The API key is required for this. Example:
curl -X PUT 'https://authority-portal.example.com/api/config/log-level?level=DEBUG' --header 'x-api-key: uYtR_wNsvXU4EbV9GioACnj!NHML_HRX'
Authority Portal Frontend
Image: ghcr.io/sovity/authority-portal-frontend
Set environment variables according to the following table (mandatory)
AUTHORITY_PORTAL_FRONTEND_BACKEND_URL:https://[AP_FQDN]# Authority Portal URLAUTHORITY_PORTAL_FRONTEND_LOGIN_URL: https://[AP_FQDN]/oauth2/start?rd=https%3A%2F%2F[AP_FQDN] # Auth Proxy: Login URL (with redirect to the Authority Portal)
# Following is the URL to signal the Auth Proxy to log out the user.# Example: https://[AP_FQDN]/oauth2/sign_out?rd=https%3A%2F%2F[KC_FQDN]%2Frealms%2F[KC_REALM]l%2Fprotocol%2Fopenid-connect%2Flogout%3Fclient_id%3Doauth2-proxy%26post_logout_redirect_uri%3Dhttps%253A%252F%252F[AP_FQDN]
AUTHORITY_PORTAL_FRONTEND_LOGOUT_URL:(...)# Auth Proxy: Logout URLAUTHORITY_PORTAL_FRONTEND_INVALIDATE_SESSION_COOKIES_URL: https://[AP_FQDN]/oauth2/sign_out # Auth Proxy: URL to invalidate sessions cookies
AUTHORITY_PORTAL_FRONTEND_IFRAME_URL:https://news.yourdataspace.com# iFrame URL for the "Home" page if it's usedAUTHORITY_PORTAL_FRONTEND_LEGAL_NOTICE_URL:https://yourdataspace.com/legal-notice# Legal Notice URLAUTHORITY_PORTAL_FRONTEND_PRIVACY_POLICY_URL:https://yourdataspace.com/privacy-policy# Privacy policy URLAUTHORITY_PORTAL_FRONTEND_SUPPORT_URL:https://support.yourdataspace.com# Support page URLAUTHORITY_PORTAL_FRONTEND_ACTIVE_PROFILE: sovity-open-source # UI Branding profile (sovity-open-source or mds-open-source)
AUTHORITY_PORTAL_FRONTEND_DATASPACE_SHORT_NAME:ExDS# Short Dataspace name, used in some explanatory textsAUTHORITY_PORTAL_FRONTEND_PORTAL_DISPLAY_NAME:"Authority Portal"# Portal name displayed in various texts
Data Catalog Crawlers
The Data Catalog only displays the Data Catalog as it exists in the database.
Each deployment environment requires a Data Catalog Crawler.
A Data Catalog Crawler is based on the EDC Connector and crawls the catalogs of all connectors in the dataspace.
You will need an SKI/AKI client ID to register the crawler. Please refer to the EDC documentation on how to generate one.
The first user that registers at the portal does not need to be approved and will automatically become an Authority Admin. This means this should be done by the Dataspace Authority