Skip to main content

Ibex Identity Service

The ibex-identity-service is the sole gatekeeper for all interactive sessions on the data platform. It handles user authentication, issues tokens, and provides real-time validation for internal services.

Architectural Role

This FastAPI-based Python service listens on port 8090 and is exposed via Traefik to the outside world purely on the /auth/* and /users/* routes. Every other service on the platform implicitly trusts the JWTs generated here.

High-Level Working

Multi-Mode Authentication

The identity service relies on an environment flag (IDENTITY_AUTH_MODE) to switch internal behaviours seamlessly:
  • Local Mode: Uses a persistent SQLite volume (/data/ajna-identity.db) to store usernames, enforce passwords, and manage sessions locally during development and staging.
  • Cognito Mode: Delegates physical authentication validation to AWS Cognito (via User Pool ID and Client ID).

The Validator Endpoint

Almost all internal secured APIs (like the ibex-bi-backend) run an explicit check against this service. They intercept incoming requests, capture the Bearer Token, and proxy a GET /validate check.
  • If it returns 200 OK, the internal backend completes the user’s report query.
  • If it returns 401 Unauthorized, the backend rejects the request instantly.