← Back to Skills Marketplace
109
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install iam-integration
Description
Use when integrating a new service with the IAM (Identity and Access Management) system - covers gRPC client setup, JWT token validation, permission checks,...
README (SKILL.md)
IAM Integration Guide
Overview
IAM is the central identity service. Services integrate via gRPC (primary) or REST. All resources are scoped by appCode + tenantCode.
Quick Reference
| Need | Method | Endpoint/Service |
|---|---|---|
| Validate JWT token | gRPC | JwtTokenService.validateAccessToken |
| Check permission | gRPC | AuthorizationService.hasPermission |
| Get user by UID | gRPC | AccountService.GetByUid |
| Login | REST | POST /api/v1.0/login/generateTicket |
| Exchange ticket for token | REST | POST /api/v1.0/account/exchangeAuthTicket |
| Get current user | REST | GET /api/v1.0/account/current |
1. gRPC Integration (Recommended)
Dependency
\x3Cdependency>
\x3CgroupId>com.feilun\x3C/groupId>
\x3CartifactId>iam-rich-client\x3C/artifactId>
\x3C/dependency>
\x3Cdependency>
\x3CgroupId>com.feilun\x3C/groupId>
\x3CartifactId>iam-boot-starter\x3C/artifactId>
\x3C/dependency>
Configuration
grpc:
client:
iam-service:
address: dns:///iam.${namespace}.svc.cluster.local:9090
negotiation-type: plaintext
Token Validation
@Autowired JwtTokenRichClient jwtTokenClient;
// Validate token (with optional permission check)
ValidateAccessTokenRequest req = ValidateAccessTokenRequest.newBuilder()
.setAccessToken(token)
.setAppCode(appCode)
.setTenantCode(tenantCode)
// optional: add permission check
.setPermissionCheck(PermissionCheck.newBuilder()
.setObject("resource-name")
.setAct("read")
.build())
.build();
ValidateAccessTokenResponse resp = jwtTokenClient.validateAccessToken(req);
// resp.getUid(), resp.getRoleCodesList(), resp.getValid()
Permission Check
@Autowired AuthorizationRichClient authClient;
HasPermissionRequest req = HasPermissionRequest.newBuilder()
.setAppCode(appCode)
.setTenantCode(tenantCode)
.setSubject(uid)
.setObject("resource-name")
.setAct("write")
.setSiteCode(siteCode)
.build();
boolean allowed = authClient.hasPermission(req).getHasPermission();
Get Account Info
@Autowired AccountRichClient accountClient;
GetByUidRequest req = GetByUidRequest.newBuilder()
.setUid(uid).setAppCode(appCode).setTenantCode(tenantCode)
.build();
AccountProto account = accountClient.getByUid(req).getAccount();
2. REST API Integration
Required Headers
| Header | Description |
|---|---|
X-ACCESS-TOKEN |
JWT token |
X-App |
App code |
X-Tenant |
Tenant code |
X-Uid |
User UID (set by gateway) |
X-IS-MOBILE |
true / false |
Auth Filter
Add IamAuthInfoFilter to your service to auto-extract auth context from headers into thread-local.
// Access current user context anywhere in request thread
IamAuthContext ctx = IamAuthContextHolder.get();
String uid = ctx.getUid();
String tenantCode = ctx.getTenantCode();
3. Key Data Models
Account: uid, appCode, tenantCode, loginName, email, mobile,
acctStatus(0=inactive,1=active,2=disabled,9=cancelled),
acctType(0=sub,1=main), roleCodes[], siteScope[]
Authorization: subject(uid/role), object(resource), act(read/write/delete),
permitAll(bool), permitTargetId[], permitObjectId[]
4. Multi-tenancy Rules
- Every call must include
appCode+tenantCode - JWT secrets are per-app/tenant (
iam_jwt_secrettable) - Permissions are site-scoped — always pass
siteCodewhen checking
5. Common Mistakes
| Mistake | Fix |
|---|---|
Missing appCode/tenantCode |
Always required in every gRPC request |
Checking permission without siteCode |
Pass siteCode for site-scoped resources |
Calling REST without X-App/X-Tenant headers |
Required for all REST calls |
Using system mvn to build |
Use ./mvnw — project requires Maven 3.8.x via wrapper |
6. Account Status Reference
| Code | Status |
|---|---|
| 0 | Inactive (pending activation) |
| 1 | Active |
| 2 | Disabled |
| 3 | Locked |
| 8 | Cancellation in progress |
| 9 | Cancelled |
Usage Guidance
This instruction-only guide appears coherent and safe as documentation. Before relying on it: ensure your gateway actually enforces and injects X-ACCESS-TOKEN/X-Uid (do not trust client-supplied headers), validate JWT secrets and rotation policies within your own infra, enforce least privilege for any service accounts that call IAM, review the referenced client libraries for supply-chain risk before adding them to builds, and confirm network isolation so only authorized services can reach the IAM endpoints.
Capability Assessment
Purpose & Capability
The name/description say gRPC/REST IAM integration and the SKILL.md contains gRPC client usage, REST endpoints, headers, and data models. It does not request unrelated binaries, credentials, or config paths.
Instruction Scope
The guide stays on-topic (token validation, permission checks, account lookup). It assumes a trusted gateway will set headers like X-Uid/X-ACCESS-TOKEN and recommends using a thread-local IamAuthContext; this is normal for IAM integration but relies on upstream trust — the doc does not instruct reading unrelated files or env vars.
Install Mechanism
No install spec and no code files are present; nothing will be written to disk or downloaded by the skill itself (lowest-risk model).
Credentials
The skill declares no required environment variables or credentials. The content references per-app JWT secrets conceptually but does not request secret keys or other unrelated credentials.
Persistence & Privilege
always:false and no install or persistent components. The skill does not request elevated persistence or to modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install iam-integration - After installation, invoke the skill by name or use
/iam-integration - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the iam-integration skill:
- Provides step-by-step integration for new services with IAM, covering both gRPC clients and REST APIs.
- Includes code samples for JWT token validation, permission checks, and account information retrieval.
- Details required configuration for gRPC clients and REST API headers.
- Lists key data models (Account, Authorization) and explains multi-tenancy integration rules.
- Summarizes common integration mistakes and account status codes.
Metadata
Frequently Asked Questions
What is Iam Integration?
Use when integrating a new service with the IAM (Identity and Access Management) system - covers gRPC client setup, JWT token validation, permission checks,... It is an AI Agent Skill for Claude Code / OpenClaw, with 109 downloads so far.
How do I install Iam Integration?
Run "/install iam-integration" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Iam Integration free?
Yes, Iam Integration is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Iam Integration support?
Iam Integration is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Iam Integration?
It is built and maintained by effort02 (@effort02); the current version is v1.0.0.
More Skills