Completed
In Progress
Pending
1
Phases Complete
1
Current Phase (9)
8
Stages Planned
12.5%
Overall Progress
🎯 Migration Phases (1-12)
1Kickoff & Planning
✅ Complete
Vision & Scope
Define RMT IAM migration goals, architecture, and success criteria
2Foundation Setup
✅ Complete
RMT IAM Profile Added
Docker Compose service with PostgreSQL backend
Swagger/OpenAPI Enabled
CloudAPI Swagger endpoint + proxy route
Gateway Navigation
Top menu linking docs, app, API, and RMT IAM admin
3-8Features & Hardening
✅ Complete
Phases 3-8 (Historical)
Camera automation, defect detection, 3D fusion, calibration - all completed in v1.5.x
9IAM Consolidation
⧗ In Progress
Stage 1: Foundation
RMT IAM service, Swagger, gateway UI, documentation baseline
Stage 2: Dual-Run Bootstrap
✓ RMT IAM running: Admin proxy ready at /auth/admin | Database initialized | Credentials managed per environment
✓ Realm bootstrap: giap realm import with clients, roles, and test users
→ Next: CloudAPI dual-token (legacy JWT + OIDC) and token issuance tests
✓ Realm bootstrap: giap realm import with clients, roles, and test users
→ Next: CloudAPI dual-token (legacy JWT + OIDC) and token issuance tests
Stage 3: Client Migration
Platform Management Client → OIDC, legacy Blazor surfaces removed from primary launchers, compatibility support mode
Stage 4: Cutover
Disable legacy auth, promote RMT IAM as primary, all services OIDC
10Multi-Tenancy
○ Pending
Tenant Isolation
RMT IAM realm per tenant + tenant-specific data access
11Advanced Auth
○ Pending
MFA & Risk Policies
2FA, passwordless, conditional access, bot detection
12Integration & Scale
○ Pending
Federation & Operators
IDP federation, edge HA deployment, distributed edge clusters
🎬 Per-Application Migration Tracks
🔐 Platform Management Client
Current State: Keycloak-backed edge-web surface with Core API catalog access
Stage 2-3: OIDC sign-in + CloudAPI provisioning verified
Stage 3: Primary route moved to /iam-client under edge-web
Stage 3: Legacy IAM login dependency removed from the active browser path
Stage 4: Finalize role-aware launcher visibility and remaining internal cleanup
📊 Legacy IAM Retirement
Current State: Legacy IAM and RemoteDashboard compose profiles removed from the supported stack
Stage 2-3: Public launchers cut over to Platform Management Client and Core API
Stage 3: Legacy dashboards no longer exposed as engineering entry points
Stage 4: Compose profiles and gateway rollback routes removed
🌐 All Other Services
Current State: Token validation via IAM or direct calls
Stage 2: RMT IAM OIDC endpoint availability (no app changes yet)
Stage 3-4: Delegate token validation to RMT IAM
Stage 4+: Full OIDC standardization (Federation-ready)
📋 Key Facts & Infrastructure
🗄️ RMT IAM Database
Database: PostgreSQL (shared instance)
Schema:
identity-internal
Host: postgres:5432 (container) / 127.0.0.1:5434 (local)
Credentials: Local development only; production credentials are not published in this page
Web Port: 18080 (host) / 8080 (container)
Admin URL: Use the environment-specific Keycloak admin entrypoint or the proxied route at /auth/admin
Realm: giap | OIDC metadata: http://localhost:18080/realms/giap/.well-known/openid-configuration
🚀 Docker Compose Profiles
default: edge-web, cloudapi, engine, postgres
+ai: AI runtime and inference services
+keycloak: RMT IAM OIDC server for browser sign-in and token issuance
included service: motorcontroller device operations surface is part of the active stack
+observability: OTel collector, Prometheus, Grafana
🔗 API Endpoints
Swagger: /core-api/swagger (via landing gateway proxy)
RMT IAM OIDC: http://localhost:18080/realms/giap/.well-known/openid-configuration
Token Endpoint: http://localhost:18080/realms/giap/protocol/openid-connect/token
User Info: http://localhost:18080/realms/giap/protocol/openid-connect/userinfo
📌 Next Actions
⧗ Stage 2: Dual-Run Bootstrap (Starting)
- 1. Start RMT IAM service with compose
- 2. Bootstrap giap realm + clients + test users
- 3. Update CloudAPI to validate both HMAC (legacy) + OIDC (new) tokens
- 4. Test token issuance from RMT IAM
- 5. Commit Stage 2 work + update this page