← 返回 Skills 市场
109
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install iam-integration
功能描述
Use when integrating a new service with the IAM (Identity and Access Management) system - covers gRPC client setup, JWT token validation, permission checks,...
使用说明 (SKILL.md)
IAM Integration Guide
Overview
IAM is the central identity service. Services integrate via gRPC (primary) or REST. All resources are scoped by appCode + tenantCode.
Quick Reference
| Need | Method | Endpoint/Service |
|---|---|---|
| Validate JWT token | gRPC | JwtTokenService.validateAccessToken |
| Check permission | gRPC | AuthorizationService.hasPermission |
| Get user by UID | gRPC | AccountService.GetByUid |
| Login | REST | POST /api/v1.0/login/generateTicket |
| Exchange ticket for token | REST | POST /api/v1.0/account/exchangeAuthTicket |
| Get current user | REST | GET /api/v1.0/account/current |
1. gRPC Integration (Recommended)
Dependency
\x3Cdependency>
\x3CgroupId>com.feilun\x3C/groupId>
\x3CartifactId>iam-rich-client\x3C/artifactId>
\x3C/dependency>
\x3Cdependency>
\x3CgroupId>com.feilun\x3C/groupId>
\x3CartifactId>iam-boot-starter\x3C/artifactId>
\x3C/dependency>
Configuration
grpc:
client:
iam-service:
address: dns:///iam.${namespace}.svc.cluster.local:9090
negotiation-type: plaintext
Token Validation
@Autowired JwtTokenRichClient jwtTokenClient;
// Validate token (with optional permission check)
ValidateAccessTokenRequest req = ValidateAccessTokenRequest.newBuilder()
.setAccessToken(token)
.setAppCode(appCode)
.setTenantCode(tenantCode)
// optional: add permission check
.setPermissionCheck(PermissionCheck.newBuilder()
.setObject("resource-name")
.setAct("read")
.build())
.build();
ValidateAccessTokenResponse resp = jwtTokenClient.validateAccessToken(req);
// resp.getUid(), resp.getRoleCodesList(), resp.getValid()
Permission Check
@Autowired AuthorizationRichClient authClient;
HasPermissionRequest req = HasPermissionRequest.newBuilder()
.setAppCode(appCode)
.setTenantCode(tenantCode)
.setSubject(uid)
.setObject("resource-name")
.setAct("write")
.setSiteCode(siteCode)
.build();
boolean allowed = authClient.hasPermission(req).getHasPermission();
Get Account Info
@Autowired AccountRichClient accountClient;
GetByUidRequest req = GetByUidRequest.newBuilder()
.setUid(uid).setAppCode(appCode).setTenantCode(tenantCode)
.build();
AccountProto account = accountClient.getByUid(req).getAccount();
2. REST API Integration
Required Headers
| Header | Description |
|---|---|
X-ACCESS-TOKEN |
JWT token |
X-App |
App code |
X-Tenant |
Tenant code |
X-Uid |
User UID (set by gateway) |
X-IS-MOBILE |
true / false |
Auth Filter
Add IamAuthInfoFilter to your service to auto-extract auth context from headers into thread-local.
// Access current user context anywhere in request thread
IamAuthContext ctx = IamAuthContextHolder.get();
String uid = ctx.getUid();
String tenantCode = ctx.getTenantCode();
3. Key Data Models
Account: uid, appCode, tenantCode, loginName, email, mobile,
acctStatus(0=inactive,1=active,2=disabled,9=cancelled),
acctType(0=sub,1=main), roleCodes[], siteScope[]
Authorization: subject(uid/role), object(resource), act(read/write/delete),
permitAll(bool), permitTargetId[], permitObjectId[]
4. Multi-tenancy Rules
- Every call must include
appCode+tenantCode - JWT secrets are per-app/tenant (
iam_jwt_secrettable) - Permissions are site-scoped — always pass
siteCodewhen checking
5. Common Mistakes
| Mistake | Fix |
|---|---|
Missing appCode/tenantCode |
Always required in every gRPC request |
Checking permission without siteCode |
Pass siteCode for site-scoped resources |
Calling REST without X-App/X-Tenant headers |
Required for all REST calls |
Using system mvn to build |
Use ./mvnw — project requires Maven 3.8.x via wrapper |
6. Account Status Reference
| Code | Status |
|---|---|
| 0 | Inactive (pending activation) |
| 1 | Active |
| 2 | Disabled |
| 3 | Locked |
| 8 | Cancellation in progress |
| 9 | Cancelled |
安全使用建议
This instruction-only guide appears coherent and safe as documentation. Before relying on it: ensure your gateway actually enforces and injects X-ACCESS-TOKEN/X-Uid (do not trust client-supplied headers), validate JWT secrets and rotation policies within your own infra, enforce least privilege for any service accounts that call IAM, review the referenced client libraries for supply-chain risk before adding them to builds, and confirm network isolation so only authorized services can reach the IAM endpoints.
能力评估
Purpose & Capability
The name/description say gRPC/REST IAM integration and the SKILL.md contains gRPC client usage, REST endpoints, headers, and data models. It does not request unrelated binaries, credentials, or config paths.
Instruction Scope
The guide stays on-topic (token validation, permission checks, account lookup). It assumes a trusted gateway will set headers like X-Uid/X-ACCESS-TOKEN and recommends using a thread-local IamAuthContext; this is normal for IAM integration but relies on upstream trust — the doc does not instruct reading unrelated files or env vars.
Install Mechanism
No install spec and no code files are present; nothing will be written to disk or downloaded by the skill itself (lowest-risk model).
Credentials
The skill declares no required environment variables or credentials. The content references per-app JWT secrets conceptually but does not request secret keys or other unrelated credentials.
Persistence & Privilege
always:false and no install or persistent components. The skill does not request elevated persistence or to modify other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install iam-integration - 安装完成后,直接呼叫该 Skill 的名称或使用
/iam-integration触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the iam-integration skill:
- Provides step-by-step integration for new services with IAM, covering both gRPC clients and REST APIs.
- Includes code samples for JWT token validation, permission checks, and account information retrieval.
- Details required configuration for gRPC clients and REST API headers.
- Lists key data models (Account, Authorization) and explains multi-tenancy integration rules.
- Summarizes common integration mistakes and account status codes.
元数据
常见问题
Iam Integration 是什么?
Use when integrating a new service with the IAM (Identity and Access Management) system - covers gRPC client setup, JWT token validation, permission checks,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 109 次。
如何安装 Iam Integration?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install iam-integration」即可一键安装,无需额外配置。
Iam Integration 是免费的吗?
是的,Iam Integration 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Iam Integration 支持哪些平台?
Iam Integration 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Iam Integration?
由 effort02(@effort02)开发并维护,当前版本 v1.0.0。
推荐 Skills