- Java 21
- Maven 3+
- Node (nvm)
- Yarn
First install Java 21 with a package manager
and then export the correct the JAVA_HOME. For example on macOS:
export JAVA_HOME=/Library/Java/JavaVirtualMachines/openjdk-21.jdk/Contents/Home/MariaDB and Mailpit in docker for local development
docker compose up -dThen create the MySQL database:
DROP DATABASE IF EXISTS invite;
CREATE DATABASE invite CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci;
CREATE USER 'invite'@'%' IDENTIFIED BY 'secret';
GRANT ALL privileges ON `invite`.* TO 'invite'@'%';Note: for MariaDB COLLATE utf8mb4_0900_ai_ci might not work and can be left out
This project uses Spring Boot and Maven. To run locally, type:
cd server
mvn spring-boot:runInstall client frontend dependencies
cd client
nvm use
yarn installInstall welcome frontend dependencies
cd welcome
nvm use
yarn installRun the client frontend http://localhost:3000
cd client
yarn startRun the welcome frontend http://localhost:4000
cd welcome
yarn startRun the server backend
mvn spring-boot:run -Dspring-boot.run.profiles=dev -Dmaven.test.skip=trueIn the default application.yml the mail host is localhost and the port is 1025. Run mailpit to capture mails.
See https://github.com/axllent/mailpit
https://invite.test.surfconext.nl/ui/swagger-ui/index.html
https://mock.test.surfconext.nl/
https://welcome.test.surfconext.nl/
https://invite.test.surfconext.nl/
If you want to use the mock-provisioning, add the following metadata in Manage.
SCIM:
"provisioning_type": "scim",
"scim_url": "https://mock.test.surfconext.nl/api/scim/v2",
"scim_user": "user",
"scim_password": "secret",
"scim_update_role_put_method": trueeVA
"provisioning_type": "eva",
"eva_token": "secret",
"eva_guest_account_duration": 30
"eva_url": "https://mock.test.surfconext.nl/eva",Graph
"provisioning_type": "graph",
"graph_url": "https://mock.test.surfconext.nl/graph/users",
"graph_client_id" : "client_id",
"graph_domain" : "hartingcollege.onmicrosoft.com",
"graph_secret" : "secret",
"graph_tenant": "tenant"Login with Mujina IdP and user admin to become super-user in the local environment
http://localhost:8888/ui/swagger-ui/index.html
To become an institution admin in invite, add the following values as eduPersonEntitlements using Mujina:
- urn:mace:surfnet.nl:surfnet.nl:sab:organizationGUID:ad93daef-0911-e511-80d0-005056956c1a
- urn:mace:surfnet.nl:surfnet.nl:sab:role:SURFconextverantwoordelijke
https://openconext.github.io/OpenConext-Invite/
There are several security filters in Invite:
- OAuth2 login where the user logs in with OpenIDConnect. Invite is acting as a backend server and cookies are used to identify the user in the security context.
- Access token login where the user has logged in with OpenIDConnect and the client obtained an access token. Invite is acting as a resource server. The API is stateless and for now no token introspects are cached.
- Basic Authentication for voot, teams, aa, profile, deprovision and sp_dashboard endpoints. The API is stateless and the API users are stored in memory. Endpoints are also secured by scope.
- API token header (
X-API-TOKEN) generated for institutional_admins (or super_users) in the GUI. The user stored in the security context is the first user with the same organisational GUID (or super_user) as the user who has generated the token.
The secrets (passwords / API-keys) used in provisionings are encrypted in OpenConext-Manage using keypairs.
openssl genrsa -traditional -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pemopenssl pkcs8 -topk8 -in private_key.pem -inform pem -out private_key_pkcs8.pem -outform pem -nocryptTo build and deploy (the latter requires credentials in your maven settings):
mvn clean deployTo check the pom.xml with the latest versions, run
cd server
mvn versions:display-dependency-updates -DprocessDependencyManagement=false -DdependencyIncludes=*:*To see the latest versions report for the client run
cd client
nvm use
yarn outdatedCRM api calls have been added to enable migration from a legacy application called SAB (SURF Autorisatie Beheer). These api calls are actively used to integrate with the enterprise role administration system.